Documentation
Start typing to search…

Splunk

Access Levels: Advanced | Enterprise

Use the Censys Attack Surface Management (ASM) for Splunk integration to visualize logbook API and risks API data on a customizable dashboard and quickly discover changes in your attack surface.

Censys also provides reports based on ASM data, which can be used for alerting and creating dashboards in Splunk. Workflow actions provide a seamless transition between Splunk Search and Censys ASM.

To use Splunk with Censys ASM, you must install both the Censys Add-on for Splunk and the Splunk for Censys Attack Surface Management app.

Prerequisites

You will need:

  • Your Censys ASM platform API key
    • To find your API key, log in to Censys ASM and click Integrations at the top of the page.
  • An active Splunk account

Install the Splunk Add-On

  1. In Splunk, click Find More Apps in the left sidebar.

  2. Type Censys into the search bar, locate the Censys Add-on for Splunk and click Install.

  3. Re-enter your login credentials to confirm.

📘

Note

It is also possible to download and install the Censys Add-on for Splunk directly from Splunkbase.

Configure the Splunk Add-on

📘

Note

If you are using the same Censys workspace for multiple Splunk destinations, you only need to configure one Add-on.

  1. Click Configuration at the top of the page.

  2. Click the Accounts tab. On the right side, click Add.

  3. Enter an Account Name and paste your Censys ASM platform API key.

    1. We recommend using the name of your ASM workspace for your account name.

  4. Click Add.

  5. Return to the Configuration page and click the Inputs tab.

  6. Click Create New Input. Configure the following fields:

    1. Input Name: Enter a name for the logbook input.

    2. Interval: Enter an interval, in seconds, for how frequently data will be fetched from Censys ASM.

    3. Index: Enter the index where the data is stored.

    4. Account: Indicate which Censys account to use.

  7. Click Add.

Install Splunk for Censys ASM

  1. In Splunk, click Find More Apps in the left sidebar.

  2. Type Censys into the search bar and locate Censys ASM for Splunk. Click Install.

  3. Re-enter your login credentials to confirm.

📘

Note

It is also possible to download and install the Censys ASM for Splunk directly from Splunkbase.

Use reports to create alerts and dashboards

To create an alert or dashboard based on a report:

  1. In Splunk, click the Reports tab at the top of the page.

  2. Click Open in Search next to the report you want to use:

  3. You can optionally modify the query. When you are done, click Save As, and select one of the options in the dropdown to create an alert, add it to an existing dashboard, or create a new dashboard.

    1. If you select Alert, you will be prompted to configure additional settings.

Dashboards

View the dashboards

Click the Dashboards tab at the top of the page. When you first access this page, you will see a pre-built default dashboard. Click on a card to view the query providing its data.

Set a default dashboard

  1. In a dashboard, click ... in the upper right corner.
  2. Click Set as Home Dashboard from the dropdown. This dashboard will now appear by default when you log in to Splunk.

View more information about events in the dashboard

To view more information about an event, click ... next to the asset you want to view, then click Domain, Host, Storage Asset, or Certificate in Censys ASM.

Keep the dashboard up-to-date

To keep the Attack Surface Management Risks dashboard up to date, enable scheduled runs of the following saved searches:

  • Generate risk instances lookup
  • Generate risk types lookup
  • Hosts with most risks lookup
  • Hosts with most risks with severities
  • Hosts with most risks with types
  • Web entities with most risks lookup
  • Web entities with most risks with severities
  • Web entities with most risks with types

If you opt not to schedule the runs, you must manually run these searches each time you want to pull in the most current data while viewing the dashboard.

Enable scheduled runs

  1. In Splunk, click Settings > Searches, reports, and alerts.
  2. At the top of the page, set the Owner filter to All to ensure all searches are visible.
  3. For each of the five saved searches listed above, follow these steps to edit the schedules:

    1. Locate the search you wish to modify.

    2. Click Edit > Edit Schedule.

      1. The "Edit Schedule" modal will appear.

    3. Check the box next to Schedule Report.

    4. Optionally, adjust the frequency of the schedule. By default, the report runs every hour.

    5. Click Save.

      1. The searches will automatically run based on the schedule you set.
      2. Optionally, in the list of searches, click Run next to each search to update the dashboard immediately rather than waiting for the next scheduled run.

View details of searches and matching events

Click on a card to view the Splunk Search query and associated events.

On the Search page, you will see the query used to obtain the card results and a list of events organized by the specified time range.

Install and enable Splunk Event Generator (Eventgen)

Splunk Event Generator (Eventgen) is a utility that allows users to generate configurable events to simulate real-time data for testing.

Censys provides a sample eventgen.conf file, along with sample events, to get you started. These are imported automatically by the app, and you can view eventgen.con In GitHub.

  1. In Splunk, click +Find More Apps in the left sidebar.

  2. Use the search bar to locate the Eventgen app.

  3. On the Eventgen app card, click Install.

  4. Click Settings > Data inputs, then click Eventgen.

  5. Locate the row that includes the source type dmodinput_eventgen. Under its status column, click Enable.

Create an index for sample events

You can create a new index for your sample events through the Splunk Web UI or the Splunk Enterprise command line.

Option 1: Create an index from the Splunk UI

  1. In Splunk, click Settings > Indexes.
  2. On the Indexes page, click New Index.

    1. For Index Name, enter demo.

    2. For App, select SA-Eventgen from the dropdown menu.

  3. Click Save.

Option 2: Create an index from Splunk Enterprise Command Line

From the terminal (Mac or Linux), navigate to $SPLUNK_HOME/bin and enter the following command:

./splunk add index demo

You may be prompted to enter your Splunk username and password.

📘

Note:

To use a name other than demo for your index, modify the eventgen.conf file.

View sample Splunk events

  1. Go to the Censys ASM web console and click Search.
  2. Enter the search query index=demo to see all sample events.

Updated 18 days ago