[Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise

Posted on By McHughSecurity 1 Comment on [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  1. [Part 1] Building a Threat Integration and Testing Lab
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  4. [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

As a bake off for the Threat Lab and Incident Response capabilities, we will also be installing Splunk Enterprise. This will be in the 30 day trial mode, so it would be advisable to seek advice from your Splunk sales representative prior to using this installation in a production environment.

System Preparation

Prior to installing Splunk Enterprise, we will need to prepare the Operating System so that it has been appropriately updated to the latest production release.

sudo apt update -y
sudo apt upgrade -y
sudo apt-get install curl apt-transport-https ca-certificates software-properties-common -y

From here we can now proceed into installing Splunk Enterprise on Ubuntu 18.04

Installing Splunk Enterprise

To start with, you will need to download the .deb file for Splunk from the Splunk website. You can get the download link from the Splunk website after you have registered for the Enterprise Trial.

The best way I have found to do this is from the command line using curl:

wget -O splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.3&product=splunk&filename=splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb&wget=true'

Now that we have the installation file, we can start installing Splunk using the .deb file.

sudo dpkg -i splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb
sudo /opt/splunk/bin/splunk enable boot-start

You will be presented with the Splunk EULA, read it and scroll to the bottom to get the acceptance prompt. From here you will also be asked to provide an administrative username and password.

Splunk EULA presented after enabling boot at start
Creating the initial administrator username and password

We can now start Splunk from the CLI using the below command:

sudo systemctl start splunk

Once set, the service can now be started and Splunk will be accessible on port 8000.

Splunk Enterprise is now accessible on port 8000

Configuring Splunk Enterprise

Now that we have Splunk Enterprise installed, now we can work on installing the addons required to get the Threat Lab integrations working between MISP and TheHive.

Installing MISP42Splunk Addon

From the Apps screen, search for MISP42Splunk and then click Install.

Install MISP42Splunk Addon

Installing TheHive/Cortex Addon

Install TheHive/Cortex Addon

Once the addon has completed installing, Splunk will need to be restarted using the dialog which will present itself post installation.

Restart Splunk after installation of TheHive/Cortex Addon
Build

Comment (1) on “[Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise”

  1. Pingback: [Part 1] Building a Threat Integration and Testing Lab - McHugh Security

Leave a Reply

%d bloggers like this: