Splunk Event Query activity

<a class="link" href="../../../product/security-operations-common/concept/sec-ops-common-functionality.html" title="Whenever any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated, the Security Support Common plugin is activated. This plugin loads various modules that provide functionality that is common across all Security Operations applications.">Security Operations common functionality > Security Operations Integration Reference > <a class="link" href="../../../product/security-operations-common/concept/integration-capabilities.html" title="The Integration Capabilities framework provides a consistent architecture to support interoperability with third-party integrations. This abstracted interface and data model insulates integrations from changes to the core application and ensures a consistent experience for similar types of integrations.">Integration capabilities > Security Operations Integration- Sightings Search capability > Create sightings search configuration records > <a class="link" href="../../../product/security-operations-integrations/task/secops-integration-sightings-search-workflow.html" title="Security Operations Integration - Sightings Search workflow is a high-level workflow independent of integrations. It uses the configured queries to search for a set of observables based on the configured integrations which support the capability. Use it to fulfill an integration such as Splunk or Elasticsearch.">Security Operations Integration - Sightings Search workflow >

The Splunk Event Query workflow activity searches the Splunk event logs for malicious indicators.

The Splunk Event QueryActivity activity can be used with any workflow to search the Splunk event logs.

Results Possible results for this activity are:

Table 1. Results Result Description Success Splunk Failure An error occurred while attempting to verify Splunk query. More error information is available in the activity output error.

Input variables Input variables determine the initial behavior of the activity.

Variable Description user User name for the Splunk system. password Password for the Splunk system. observables The list of observables from Trusted Security Circle or the security incident task to search for. Returned in JSON format. base_url URL of the Splunk integration endpoint. link_base_url Link to the Splunk web interface, when available. source Source of the request to run the workflow. Supported inputs are: Trusted Security Circles or security incident task. max_rows Maximum rows to return from the query. The limit depends on the third-party integration. days_to_search Days to search from the current day backwards. Default is 7. query Search syntax. $(observable) is the default.

Output variables The output variables contain data that can be used in subsequent activities.

Table 2. Output variables Variable Description output Output of the query in JSON format.

Parent Topic: Security Operations Integration - Splunk Sightings Search workflow