Basic Arcsight Integration

An excellent feature of Splunk, is its ability to link into a search via a Permalink. Permalinks, combined with SSL provide a secure way to launch Splunk from anywhere.

Today, I will post about basic integration with Arcsight. Arcsight gives you the ability to define "Tools" that will launch an application by right clicking on any event and choosing the tool. In a very basic way, we can start a browser to launch a permalink with a search defined.

Since we will be using SSL, as most security minded Splunk users should have disabled the http port, It is safe to use the Permalink (http GET) as SSL encrypts the request from the console.

From the Arcsight menu, choose "Tools" Then "Configure", then click the New Button:

Fill in the boxes for your own environment:

Name: "Splunk Selected Cell"
Program: "C:\Program Files\Mozilla Firefox\firefox.exe"
Working Directory: "C:\"
Icon: "tools_custom.gif"
Program Parameters: https://yoursplunkserver/?q=$selectedCell

Click OK, then Done......Thats it.....

Now choose any event, select a cell, either an IP or description,right click and choose "Splunk Selected Cell" from the Tools menu, and a browser will appear. If you are already authenticated(Splunk Pro) via Firefox (for the above example) the search will begin executing when the browser window opens. If you are not authenticated you will be prompted to authenticate,then your search will start.

Chances are you might want to search on an "IP pair" next and not just the selected cell.

Make these changes:

Tool Name: Splunk IP Pair
Program Parameters: https://yoursplunkserver/?q=$event[attackerAddress]%20$event[targetAddress]

Note the %20 between fields. This is needed between every field you add.
It represents a space between the search terms.
If the field you choose has spaces within it, they will automatically be "escaped".