Skip to main content

Integrate Contrast Security ADR with Splunk

The Contrast Security ADR integration with Splunk enables ADR to send incident details to your SIEM (Security Information and Event Management), SOAR (Security orchestration, automation and response), and XDR (Extended Detection and Response) environments, contextualizing incidents with other threat detection and response solutions.

How it works

When configured, the Contrast Security ADR for Splunk app sends detected attack events and observations from the Contrast Security platform to a Splunk HTTP Event Collector.

The Contrast Security ADR for Splunk app on splunkbase.com enables Splunk to:

  • Parse and normalize the data received over the HTTP Event Collector

  • Display Contrast Security ADR dashboards, reports, and searches in Splunk

  • Provide runbooks to assist SOC Analysts in resolving AppSec-related security incidents

Before you begin

Before you start, you must have:

  • Splunk Enterprise 9.2. See the icon-external-link.svginstallation guide for information.

  • Splunk CIM (Common Information Model) 5.x and later

  • Applications instrumented with a Contrast agent

Step 1: Install the Contrast ADR app in Splunk

Install from the Marketplace

  1. In Splunk Enterprise, select Apps and select Find more apps.

  2. Search for Contrast Security ADR for Splunk 1.0.

  3. Check the requirements.

  4. Select Install.

  5. Continue to step 2.

After installation, you will see the Contrast Security ADR for Splunk app in the apps dropdown.

Install from a file

  1. In Splunk Enterprise, select Apps and select Find more apps.

  2. Search for Contrast Security ADR for Splunk 1.0.

  3. Select download and save the file to a convenient location.

  4. Select Manage.

  5. Select Install app from file.

  6. Select the app you downloaded.

    Optionally, select Upgrade app if you previously installed the Contrast Security ADR app.

  7. Select Upload.

  8. Continue to step 2,

After installation, you will see the Contrast Security ADR for Splunk app in the apps dropdown.

Step 2: Set up Splunk CIM

  1. In Splunk Enterprise, select Apps and select Find more apps.

  2. Search for Splunk Common Information Model (CIM).

  3. Select Install.

  4. Enter your Splunk.com mail and password credentials.

  5. Select the Accept and Login buttons.

  6. Continue to step 3.

After installation, you will see the app in the apps dropdown.

Step 3: Set up an HTTP Event Collector input in Splunk

Set up an HTTP Event Collector input in Splunk for attack events

For Contrast and Northstar.

  1. In Splunk Enterprise, go to Settings > Data Input > HTTP Event Collector.

  2. Enter a Name to help identify the token receiving data over HTTP. Remember this name.

  3. Select the New Token button at the top of the page.

  4. Enter the fields and select Next.

  5. Choose Select source type and specify contrast:adr for the source type.

  6. Select the preferred index to store the data, likecontrast. If an index does not exist, create an index following these steps.

  7. Select the Review button.

  8. Select the Submit button.

  9. Copy the token value on the success page. This will be needed for the integration in step 4.

  10. Continue to step 4.

Set up an HTTP Event Collector input in Splunk for incidents and observations

For Northstar only.

  1. Repeat steps 1 to 4 in the Set up an HTTP Event Collector input in Splunk for attack events section above.

  2. In step 5, specify contrast:adr:incidents for the source type.

  3. Repeat steps 6 to 9 in the Set up an HTTP Event Collector input in Splunk for attack events section above.

  4. Continue to step 4.

Step 4: Configure Contrast Security ADR

Configure with Contrast

Configure the integration in Contrast to send attack events to the Splunk app.

  1. For Contrast, go to the user menu and select Organization settings > Integrations.

  2. Select the Splunk option under the ADR Integrations section.

    ADRSplunk_EN.png

  3. Under the Splunk fields, enter the URL and token information for the destination HTTP Event Collector as configured in setting up an Event Collector for attack events. Note that the URL in the screen example is shown only for illustration purposes; refer to the official Splunk Documentation for more information.

    ADRSplunk1_EN.png

  4. Select Save.

  5. Continue to step 5.

Configure with Northstar

Configure the integration in Northstar to send observations and incidents to the Splunk app.

  1. For Northstar, in the left navigation, select Administration > Integrations.

  2. Select the Splunk option under the Integrations section.

    SplunkNS_EN.png

  3. Under the Splunk fields:

    1. Enter the URL for the destination HTTP Event Collector as configured in setting up an Event Collector for attack events. Note that the URL in the screen example is shown only for illustration purposes; refer to the official Splunk Documentation for more information.

    2. Enter the HTTP Event Collector token for attack event observations as configured in setting up an HTTP Event Collector for attack events.

    3. Enter the HTTP Event Collector token for incidents as configured in setting up an HTTP Event Collector for incidents and observations.

  4. Select from the modes of data to send to Splunk:

    • Select All Observations and incidents to send all attack event observations detected by agents, as well as incidents. This is recommended for SOC practices wanting to get deep visibility into application runtime and build their custom use cases.

    • Select Incidents and only incident-related observations to send incidents and associated observations to the SIEM. This is recommended for SOC practices wanting to minimize the volume of data sent to their SIEM and only receive alerts for security incidents and the related observations.

  5. Select the Integration Enabled toggle to enable the integration. This setting allows you to temporarily disable the integration without losing your configuration.

  6. Select Save.

  7. Continue to step 5.

Step 5: Set up macros to search for events

Macros are used to keep track of the index where Contrast Security ADR events are stored. The macro will be used for CIM mapping and correlation searches.

  1. In Splunk Enterprise, go to Settings > Advanced Search.

  2. Select Search macros.

  3. Select Add new.

  4. Search for the contrast_search macro.

  5. Select the macro name to edit it.

  6. Call the index name as the index provided in the HTTP Event Collector input as configured in setting up an HTTP Event Collector for attack events.

  7. Select Save to update the macro in the index where Contrast Webhook data is stored.

To validate the macro:

  1. In Splunk Enterprise, select Contrast Security ADR for Splunk 1.0 from the apps menu.

  2. Select Search.

  3. In the search box, type contrast_search.

  4. Set the time range input to All Time.

  5. Select Search.

    You should be able to see the Contrast ADR events once the search is complete.

  6. Continue to step 6.

Step 6: Set up CIM data models

Set up an Intrusion Detection Macro to recognize the Contrast ADR events.

  1. In Splunk Enterprise, go to Settings > Advanced Search > Macros.

  2. Select the Splunk Common Information Model (CIM) app.

  3. Search for cim_Intrusion_Detection_indexes and select to edit.

  4. Edit the definition as eventtype=contrast_adr.

  5. Select Save.

  6. Continue to step 7.

Step 7: View Contrast ADR data in Splunk

Splunk provides three dashboards where you can see Contrast data.

  1. In Splunk, under Apps, find Contrast ADR for Splunk.

  2. Select Dashboards.

  3. Select a dashboard:

    • Attack Dashboard: This dashboard shows a summary of attacks that Contrast blocked in a specified time frame, identifies which applications are targeted for attacks, the type of attacks and when they occurred, and the most frequently targeted URIs.

    • Attacks by Applications: This dashboard shows the number of attacks, the different types of attacks detected and blocked, the distribution of different attack types in a specified time frame, and the top 10 most attacked URIs for the specified applications.

    • Attacks Geographical Distribution: This dashboard shows a geographical view of attacks that Contrast Security detected and blocked.

See also

In this section: