At the Splunk.conf in Las Vegas, Splunk and CloudPassage jointly demonstrated the CloudPassage App for Splunk Enterprise. It was the culmination of our efforts to provide common Splunk and CloudPassage users with an app that they could use to instantly start analyzing and correlating Halo event data in Splunk Enterprise.
Splunk Enterprise is a SIEM tool that consumes, indexes and correlates data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations. Splunk Apps enhance Splunk Enterprise in different ways, enabling users to extend Splunk’s core functionality into solving their specific log analysis pain points.
CloudPassage’s Halo platform records over eighty different types of security events about your Halo-managed infrastructure, whether you deploy into public cloud environments or your private data center. These events deliver information about your infrastructure and include critical security alerts for firewall changes, access changes, File Integrity Monitoring (FIM) changes, and other activity as recorded in your Halo Portal account.
As an example of what Splunk Enterprise can do with Halo events, let’s say we have a certain number of failed logins within a certain time frame on a cloud instance, and Halo’s FIM module catches several configuration file changes on the same instance within the same period. Both of these events on their own might be serious — but the two combined make this a much more critical issue that should definitely be reviewed. Splunk’s ability to correlate different Halo-generated events can provide the user with more actionable information about potential security issues.
The first release of the CloudPassage App for Splunk Enterprise consists of:
Dashboards: Multiple dashboards that chart Halo event data and allow users to view security violations in their Halo-managed infrastructure.
The Modular Input script: This is a Python script that is designed to execute repeatedly, keeping Splunk up-to-date with Halo events as time passes and new events occur. This script retrieves event data from a CloudPassage Halo account and streams it to Splunk Enterprise for indexing