General - Splunk Macros

Overview

The Splunk adapter within Axonius is a powerful and flexible tool. Certain data is fetched with out of the box configurations, while additional power and flexibility are derived from leveraging Splunk macros, which grant users the ability to fetch any data from Splunk. <Insert comic book quotation about power and responsibility.>

For instance, one could use Splunk macros to fetch data from a solution which may not currently have an adapter, but is logging to Splunk. In building these macros there are a few items to take into consideration, including performance and the inherent differences between the two solutions.

How it works

Splunk macros are reusable Splunk searches which can be called within other searches. Users may create macros in Splunk by navigating to Settings > Advanced Search > Search macros.

Axonius calls these macros via the Splunk API and returns the results. To utilize Splunk macros within Axonius the output must be formatted in accordance with the CSV adapter field requirements. Once the macro is created and the output is properly formatted, you may add the macro name(s) to the appropriate comma-delimited macro list within Axonius under Advanced Settings > Splunk Configuration.

Best Practices

Since Splunk macros are merely searches, it is important to consider the performance of the search configured within the macro (your Splunk admins will thank you). As such there are a number of best practices you may follow. First, you will want to refine your search to be as specific as possible while using the default indexed fields within Splunk (index, host, and/or sourcetype). Be sure to measure the performance of your search over a 30 day period within Splunk before configuring Axonius to fetch the results of the macro.

Next, time within Splunk is stored in epoch format which we will need to convert in order to properly fetch into Axonius. We will utilize the eval and strftime functions within Splunk to perform this conversion. The date and time format expected within Axonius is "2021-04-05 10:23:21", which is denoted in Splunk with the following date and time format variables, "%Y-%m-%d %H:%M:%S".

Finally, Axonius is a Cybersecurity Asset Management platform whereas Splunk is a Security Information and Event Management (SIEM) platform. We will want to account for the differences between these two platforms by deduplicating logs entries within Splunk. We are able to achieve this while also obtaining the most recent timestamp from each host with the stats command, grouping by the host field.

Now that we have the pieces lets put it all together!

index=<index> sourcetype=<sourcetype> 
| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") 
| stats latest(time) as lastseen by host

The Splunk search above will result in a table with the host and lastseen fields, which will populate Host Name and Last Seen within Axonius.

Below is an example modified slightly for Rapid7 Nexpose devices.

index="rapid7" sourcetype="rapid7:nexpose:asset" 
| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") 
| stats latest(time) as lastseen by hostname

If you enjoyed this community post, please feel free to leave a comment and contact your TAM or Customer Support to assist with configuring this adapter within your environment.