Skip to content

Output to Splunk Stream (DSP)

tccontre edited this page Nov 23, 2021 · 28 revisions

The attack_range can be configured in order to forward any events indexed by the Splunk search head to a Splunk DSP set's of nodes.

Requirements

Configure

To configure DSP in the attack range follow these steps:

  1. edit attack_range.conf dsp_install parameters, to install_dsp = 1 to enable DSP
  2. edit attack_range.conf dsp_node parameters, to dsp_node = <ip_of_node1>,<ip_of_node2>,<ip_of_nodex> add nodes to forward data to.
  3. edit attack_range.conf dsp_client_cert_path parameters, and include the path and file name relative to the attac_range folder of the certificate generated from these instructions. For example dsp_client_cert_path = dsp-client-cert.pem when the file is under attack_range/dsp-client-cert.pem

example configuration section:

[dsp]
install_dsp = 1
# specify whether enable DSP output in Splunk or not

dsp_client_cert_path = attack_range-keys.pem
# specify the certificate path for the DSP client. A certificate must be generated using the following instructions:
# https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Configure_your_forwarder_to_use_the_client_certificate
# specifically the path to the generated my_forwarder-keys.pem

dsp_node = 54.202.x.x,54.186.x.x
# specify a comma delimited list of DSP nodes to forward data to.
# Please verify that your attack_range network can connect to port 30001

Then just build an attack_range.

How does it work

To get data to DSP, we simply place an outputs.conf file on the Splunk server configured to send data to the DSP nodes. Here is an example once deployed:

/opt/splunk/etc/apps/dsp_outputs_app$ cat local/outputs.conf
[tcpout]
defaultGroup=dsp


[tcpout:dsp]
server=54.201.x.x:9997,54.202.x.x:9997,
clientCert=/opt/splunk/etc/apps/dsp_outputs_app/client.pem
sslVerifyServerCert=false
useACK=true
indexAndForward = true

Step by Step Attack Range -> DSP Configuration

1. Download scloud Application

This application is needed to configure BA/DSP settings and to forward the generated certificate later. scloudreleased can be downloaded here: https://github.com/splunk/splunk-cloud-sdk-go

2. Generate your Certificate and upload it using scloud.

As mentioned in requirements you need to generate forwarder client key pair certificate (example: my_forwarder-keys.pem) that will be forwarded in DSP and will be part of attack_range.conf.

Find more information on how to generate a forwarder client cert and forward it in DSP here: https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Generate_a_client_certificate_for_the_DSP_Forwarders_service

3. Configure BA console settings using scloud.

In your splunk BA account, you need to follow the series of scloud commands to configure your BA with your token.

Below is the scloud configuration commands:

scloud config reset
scloud config set --key host-url --value https://research.api.staging.scs.splunk.com
scloud config set --key tenant --value research
scloud config set --key username --value splunk-email@splunk.com
scloud context set --tenant research --key access_token --value {Access Token}
scloud identity validate-token --tenant {tenant name}

notes:

  • splunk-email@splunk.com is your BA email user account
  • {Access Token} is your access token that can also be seen in settings menu of the BA console.
  • {tenant name} is the tenant where your account is registered.

4 Follow Attack Range Configuration mentioned earlier. attack_range.conf configuration

5. Test if there is a telemetry coming from your attack range machine going to BA.

  • The simple way to check this is by looking for the host name of the machine in your attack range that should be connected in BA example “win-dc-970”.
  • Create or clone a pipeline for your testing. If you decided to create a pipeline choose “Data Stream Firehose”
  • Then start to preview the created pipeline. If you saw the host machine name of your attack range, it means your attack range is successfully connected or sending a telemetry event to BA now.