Integrate Contrast Security ADR with Splunk
The Contrast Security ADR integration with Splunk enables ADR to send incident details to your SIEM (Security Information and Event Management), SOAR (Security orchestration, automation and response), and XDR (Extended Detection and Response) environments, contextualizing incidents with other threat detection and response solutions.
How it works
When configured, the Contrast Security ADR for Splunk app sends detected attack events from the Contrast Security platform to a Splunk HTTP Event Collector.
The Contrast Security ADR for SplunkSplunk app on splunkbase.com enables Splunk to:
Parse and normalize the data received over the HTTP Event Collector
Display Contrast Security ADR dashboards, reports, and searches in Splunk
(On request) Call the Contrast Security ADR REST APIs for contextual data to help investigate incidents
Provide runbooks to assist SOC Analysts in resolving AppSec-related security incidents
Before you begin
Before you start, you must have:
Splunk Enterprise 9.2. See the installation guide for information.
Splunk CIM (Common Information Model) 5.x and later
Applications instrumented with a Contrast agent
Step1: Install the Contrast ADR app in Splunk
Install from the Marketplace
In Splunk Enterprise, select Apps and select Find more apps.
Search for Contrast Security ADR for Splunk 1.0.
Check the requirements.
Select Install.
After installation, you should see the Contrast Security ADR for Splunk app in the apps dropdown.
Install from a file
In Splunk Enterprise, select Apps and select Find more apps.
Search for Contrast Security ADR for Splunk 1.0.
Select download and save the file to a convenient location.
Select Manage.
Select Install app from file.
Select the app you downloaded.
Optionally, select Upgrade app if you previously installed the Contrast Security ADR app.
Select Upload.
After installation, you should see the Contrast Security ADR for Splunk app in the apps dropdown.
Step 2: Set up Splunk CIM
In Splunk Enterprise, select Apps and select Find more apps.
Search for Splunk Common Information Model (CIM).
Select Install.
Enter your Splunk.com mail and password credentials.
Select the Accept and Login buttons.
After installation, you should see the app in the apps dropdown.
Step 3: Set up an HTTP Event Collector input in Splunk
In Splunk Enterprise, go to Settings > Data Input > HTTP Event Collector.
Enter a Name to help identify the token receiving data over HTTP. Remember this name.
Select the New Token button at the top of the page.
Enter the fields and select Next.
Choose Select source type and specify
contrast:adrfor the source type.Select the preferred index to store the data, such as
contrast. If an index does not exist, create an index following these steps.Select the Review button.
Select the Submit button.
Copy the token value on the success page. This will be needed for the integration.
Step 4: Configure Contrast Security ADR to send Attack Events to Splunk
Configure the integration in Contrast to send attack events to the Splunk app.
In Contrast, go to the user menu and select Organization settings > Integrations.
Select the Splunk option under the ADR Integrations section.
Under the Splunk fields, enter the URL and token information for the destination HTTP Event Collector as configured in Step 3. Note that the URL in the screen example is shown only for illustration purposes; refer to the official Splunk Documentation for more information.
Step 5: Set up macros to search for events
Macros are used to keep track of the index where Contrast Security ADR events are stored. The macro will be used for CIM mapping and correlation searches.
In Splunk Enterprise, go to Settings > Advanced Search.
Select Search macros.
Select Add new.
Search for the
contrast_searchmacro.Select the macro name to edit it.
Call the index name as the index provided in the HEC input as configured in Step 3.
Select Save to update the macro in the index where Contrast Webhook data is stored.
To validate the macro:
In Splunk Enterprise, select Contrast Security ADR for Splunk 1.0 from the apps menu.
Select Search.
In the search box, type
contrast_search.Set the time range input to All Time.
Select Search.
You should be able to see the Contrast ADR events once the search is complete.
Step 6: Set up CIM data models
Set up an Intrusion Detection Macro to recognize the Contrast ADR events.
In Splunk Enterprise, go to Settings > Advanced Search > Macros.
Select the Splunk Common Information Model (CIM) app.
Search for
cim_Intrusion_Detection_indexesand select to edit.Edit the definition as
eventtype=contrast_adr.Select Save.
Step 7: Set up API details
In Splunk Enterprise, select Contrast Security ADR for Splunk 1.0 from the apps menu.
Go to the Setup > Setup Configurations page.
Specify the settings in each field:
Hostname: The host domain of your Contrast platform. For example,
https://cs001.contrastsecurity.comUsername: The username in Contrast
Organization UUID: The organization ID in Contrast
API Key: The API key in Contrast
Service Key: The service key in Contrast
Enrichment Excluded Fields: Fields to exclude from the API response
Max Retries: Max number of retries to be performed in connection errors
Select Submit.
View Contrast ADR data in Splunk
Splunk provides three dashboards where you can see Contrast data.
In Splunk, under Apps, find Contrast ADR for Splunk.
Select Dashboards.
Select a dashboard:
Attack Dashboard: This dashboard shows a summary of attacks that Contrast blocked in a specified time frame, identifies which applications are targeted for attacks, the type of attacks and when they occurred., and the most frequently targeted URIs.
Attacks by Applications: This dashboard shows the number of attacks, the different types of attacks detected and blocked, the distribution of different attack types in a specified time frame, and the top 10 most attacked URIs for the specified applications.
Attacks Geographical Distribution: This dashboard shows a geographical view of attacks that Contrast Security detected and blocked.