All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to integrate GCP chronicle app with Splunk and perform chronicle-related activities?

splunkuser3
New Member
‎01-20-2023 11:21 AM

Hi Splunkers,

I'm trying to integrate GCP chronicle app with Splunk and perform chronicle-related activities.

please someone help me with this.

Thanks

 

 

0 Karma
Reply

splunkuser3
New Member
‎01-20-2023 11:44 AM

hi @richgalloway 

thanks for your reply .

i was asked to integrate chronicle by using pre-built app named chronicle and perform below tasks.

  • test connectivity: Validate the asset configuration for connectivity using supplied configuration
  • list ioc details: Return any threat intelligence associated with the specified artifact
  • list iocs: List all of the IoCs discovered within the enterprise within the specified time
  • list assets: List all of the assets that accessed the specified artifact within the specified time
  • list events: List all of the events discovered within the enterprise on a particular device within the specified time
  • domain reputation: Derive the reputation of the specified domain artifact (The reputation can be either of 'Malicious', 'Suspicious', and 'Unknown')
  • ip reputation: Derive the reputation of the specified destination IP address artifact (The reputation can be either of 'Malicious', 'Suspicious', and 'Unknown')
  • list alerts: List all of the security alerts tracked within the enterprise on particular assets and|or users for the specified time
  • list rules: List the latest versions of the rules created in the Detection Engine within the enterprise
  • list detections: List all the detections for the specific versions of the given Rule ID(s)
  • on poll: Action handler for the on poll ingest functionality
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2023 02:04 PM

That's a copy-paste from the app description.  What exactly are you asking us to do?

Be aware that, while apps can be very useful, you may need to do more than just install an app to integrate Splunk with another product.  Many apps, and this appears to be one of them, just display data already in your indexes.  They expect you to use an add-on or your own wits to get the data from the other product into Splunk.  I'm not aware of any add-ons that get data from Chronicle into Splunk.

That returns us to my original response.  Check the docs for Chronicle to see which of the onboarding methods is most appropriate to use.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2023 11:26 AM

There are a few ways to onboard data into Splunk.

Install a universal forwarder on the server to send log files to Splunk
Have the server send syslog data to Splunk via a syslog server or Splunk Connect for Syslog
Use the server's API to extract data for indexing
Use Splunk DB Connect to pull data from the server's SQL database.
Have the application send data directly to Splunk using HTTP Event Collector (HEC).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...