- [Part 1] Building a Threat Integration and Testing Lab
- [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
- [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
- [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform
As a bake off for the Threat Lab and Incident Response capabilities, we will also be installing Splunk Enterprise. This will be in the 30 day trial mode, so it would be advisable to seek advice from your Splunk sales representative prior to using this installation in a production environment.
Prior to installing Splunk Enterprise, we will need to prepare the Operating System so that it has been appropriately updated to the latest production release.
sudo apt update -y sudo apt upgrade -y sudo apt-get install curl apt-transport-https ca-certificates software-properties-common -y
From here we can now proceed into installing Splunk Enterprise on Ubuntu 18.04
Installing Splunk Enterprise
To start with, you will need to download the .deb file for Splunk from the Splunk website. You can get the download link from the Splunk website after you have registered for the Enterprise Trial.
The best way I have found to do this is from the command line using curl:
wget -O splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.3&product=splunk&filename=splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb&wget=true'
Now that we have the installation file, we can start installing Splunk using the .deb file.
sudo dpkg -i splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb sudo /opt/splunk/bin/splunk enable boot-start
You will be presented with the Splunk EULA, read it and scroll to the bottom to get the acceptance prompt. From here you will also be asked to provide an administrative username and password.
We can now start Splunk from the CLI using the below command:
sudo systemctl start splunk
Once set, the service can now be started and Splunk will be accessible on port 8000.
Configuring Splunk Enterprise
Now that we have Splunk Enterprise installed, now we can work on installing the addons required to get the Threat Lab integrations working between MISP and TheHive.
Installing MISP42Splunk Addon
From the Apps screen, search for MISP42Splunk and then click Install.
Installing TheHive/Cortex Addon
Once the addon has completed installing, Splunk will need to be restarted using the dialog which will present itself post installation.