Skip to main content
Splunk Lantern is a nominee for Knowledge Innovation and Knowledge Management in the CXOne Customer Recognition Awards. Click here to vote for us!
Lantern Home

 

Splunk Lantern

Integrating Splunk Observability Cloud application security data with the Splunk platform

  1. Last updated
  2. Save as PDF

This article shows you how to set up the Secure Application module of Splunk Observability Cloud to send runtime vulnerability data to the Splunk platform - either Splunk Cloud Platform or Splunk Enterprise. After data has been ingested into the Splunk platform, it can be used to find vulnerable applications, calculate risk score, and determine exposure time.

The following image shows how security data is surfaced within APM in Splunk Observability Cloud. This context allows you to see vulnerabilities associated with specific services, alongside performance metrics.

image001.png

For a broader view, the Application Security dashboard provides a centralized list of all detected vulnerabilities across environments, and includes the Cisco Security Risk Score, which helps prioritize fixes based on the likelihood of exploitation.

image002.png

After integration of the Secure Application Module, you can run a number of different searches on this data in the Splunk platform.

Prerequisites

  • Splunk Observability Cloud with Secure Application
  • The Splunk platform

How to use Splunk software for this use case

Step 1: Configure the Splunk platform to receive HTTP Event Data

Configure the Splunk platform to collect HTTP Event Data. Depending on your deployment, follow the Collect HTTP Event Data instructions.

Step 2: Configure Secure Application Module to send data

Configure the Secure Application Module to send data to the Splunk platform. Follow the Notifications instructions to configure the sending of new vulnerabilities. Use the following configuration to set up the vulnerability notification rule:

  • URL: Use the raw HEC endpoint. The URL should end in /services/collector/raw
  • Bearer token: Enter Splunk <HEC TOKEN> (Use the HEC token generated in step 1)
  • Environment: Select All
  • Service: Select All

Troubleshooting

If you are not seeing data being ingested after following the steps above:

  1. Review the HEC setup steps again
  2. If problems persist, follow the Troubleshoot HTTP Event Collector instructions

Example searches

Ensure you change the index in the searches below to match where you have stored the data.

Find all services affected by a specific CVE

To find all services affected by a certain CVE, run the following search:

index=main id=CVE-2023-6481 
| stats count BY tier

Determine environments with highest risk score

Leverage the Cisco Security Risk Score to determine which environments have the highest risk score:

index=main 
| stats sum(kennaScore)AS combined_score by application 
| sort - combined_score

Identify vulnerabilities in active internet breaches

See which vulnerabilities are being used in active internet breaches to help prioritize remediation:

index=main activeInternetBreach=true 
| stats values(title) AS title, values(score) AS CVSS, values(library) AS library, values(tier) AS service, values(application) AS environment BY id

This search produces a table like the one below to help you quickly and easily work on remediating vulnerable libraries in your environment.

image003.png

Additional resources

These resources might help you understand and implement this guidance: