The Cisco Threat Grid Add-On for Splunk leverages the Threat Grid API to enrich events within Splunk. This occurs by pulling the user's organizational submission data into Splunk making it searchable via timestamps, threat score, user associated with sample submission, and many other options.
Configuration Guide for Cisco Threat Grid Add-On for Splunk
-
Download Cisco Threat Grid Add-On for Splunk from Splunkbase here: https://splunkbase.splunk.com/app/4251/
-
Login to Splunk Enterprise
-
On the top left of the homescreen click on the "App Settings" button (the gear symbol)
-
On the App Settings page click the "Install app from file" button on the top right
-
On the Upload app page click the "Choose File" button and select the file from the pop-up
-
Click the "Upload" button
-
A restart is required to complete installation. Select "Restart Now" or "Restart Later"
-
After reboot log back into Splunk Enterprise
-
In the Apps bar on the homescreen click on the "Cisco-Threat-Grid" icon
-
On the top left of the Cisco-Threat-Grid screen click on the "Configuration" tab
-
Within the Logging tab, leave the Log level set to "INFO"
-
Click on the "Add-on" Settings tab and enter your Cisco Threat Grid API key and click "Save"
-
Configuration is now complete. Splunk will begin to populate with Cisco Threat Grid organizational information.