Skip to content

McHughSecurity

  • Home
  • Blog
  • Security Operations
  • DFIR
    • Reverse Engineering
      • Dynamic Analysis
      • Static Analysis
  • Vuln. Mgmt
  • Intelligence
    • Open-Source Intelligence
    • Threat Intelligence
      • AIL Framework
      • MISP – Open Source Threat Intelligence Platform
      • OpenCTI
  • Threat Modelling
    • Attack Libraries
    • Attack Trees
    • Mitigating Techniques
    • SaaS Threat Modelling
    • Threat Models
    • Tools
    • Validating Threat Mitigations
  • Toggle search form
  • Exporting Maltego Graphs to MISP Intelligence
  • Using the Data Classification Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • Hardening TheHive4 and Cortex for public deployment Build
  • Using MISP in an air-gapped environment Design
  • Implementing Elastic Cloud and using Elastic Security Build
  • Building a Cuckoo Malware Analysis Server Digital Forensics & Incident Response
  • Building CCCS’ AssemblyLine for Static Analysis Static Analysis
  • An Introduction to Threat Intelligence Threat Intelligence

[Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise

Posted on April 28, 2021 By A.McHugh 1 Comment on [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  1. [Part 1] Building a Threat Integration and Testing Lab
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  4. [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

As a bake off for the Threat Lab and Incident Response capabilities, we will also be installing Splunk Enterprise. This will be in the 30 day trial mode, so it would be advisable to seek advice from your Splunk sales representative prior to using this installation in a production environment.

System Preparation

Prior to installing Splunk Enterprise, we will need to prepare the Operating System so that it has been appropriately updated to the latest production release.

sudo apt update -y
sudo apt upgrade -y
sudo apt-get install curl apt-transport-https ca-certificates software-properties-common -y

From here we can now proceed into installing Splunk Enterprise on Ubuntu 18.04

Installing Splunk Enterprise

To start with, you will need to download the .deb file for Splunk from the Splunk website. You can get the download link from the Splunk website after you have registered for the Enterprise Trial.

The best way I have found to do this is from the command line using curl:

wget -O splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.3&product=splunk&filename=splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb&wget=true'

Now that we have the installation file, we can start installing Splunk using the .deb file.

sudo dpkg -i splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb
sudo /opt/splunk/bin/splunk enable boot-start

You will be presented with the Splunk EULA, read it and scroll to the bottom to get the acceptance prompt. From here you will also be asked to provide an administrative username and password.

Splunk EULA presented after enabling boot at start
Creating the initial administrator username and password

We can now start Splunk from the CLI using the below command:

sudo systemctl start splunk

Once set, the service can now be started and Splunk will be accessible on port 8000.

Splunk Enterprise is now accessible on port 8000

Configuring Splunk Enterprise

Now that we have Splunk Enterprise installed, now we can work on installing the addons required to get the Threat Lab integrations working between MISP and TheHive.

Installing MISP42Splunk Addon

From the Apps screen, search for MISP42Splunk and then click Install.

Install MISP42Splunk Addon

Installing TheHive/Cortex Addon

Install TheHive/Cortex Addon

Once the addon has completed installing, Splunk will need to be restarted using the dialog which will present itself post installation.

Restart Splunk after installation of TheHive/Cortex Addon

Related

Build

Post navigation

Previous Post: [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
Next Post: Using the Course of Action Taxonomies in MISP

Related Posts

  • Hardening TheHive4 and Cortex for public deployment Build
  • Deploying (and using) TheHive4 [Part 1] Build
  • TheHive 4.1.0 Deployment and Integration with MISP Build
  • Building a Cuckoo Sandbox Build
  • [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises) Build
  • [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform Build

Comment (1) on “[Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise”

  1. Pingback: [Part 1] Building a Threat Integration and Testing Lab - McHugh Security

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

ten − 4 =

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Search

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Archives

  • April 2022
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • September 2020
  • April 2020
  • March 2020
  • January 2020
  • May 2019
  • Using MISP in an air-gapped environment Design
  • OSINT for Threat Intelligence Blog
  • Building a MISP Threat Feed Aggregator Blog
  • Building a Cuckoo Sandbox Build
  • Using MISP in a TraceLabs Missing Persons engagement Blog
  • Feeding Analysis Information Leak (AIL) Framework AIL Framework
  • Deploying (and using) TheHive4 [Part 1] Build
  • An Introduction to Threat Intelligence Threat Intelligence

Categories

  • AIL Framework
  • Blog
  • Build
  • Design
  • Digital Forensics & Incident Response
  • Frameworks
  • Intelligence
  • MISP – Open Source Threat Intelligence Platform
  • Open-Source Intelligence
  • Operate
  • Security Operations
  • Static Analysis
  • Threat Intelligence

Copyright © 2022 McHughSecurity.

Powered by PressBook News Dark theme