Deployment Guide: Integrating Gigamon Technologies … · Deployment Guide: Gigamon and Splunk 5 This guide is intended for users who have basic understanding of Splunk. This document

Integrating Gigamon Technologies with Splunk®

Enterprise

Deployment Guide: Gigamon and Splunk 2

COPYRIGHT

Copyright © 2017 Gigamon. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without Gigamon’s written permission.

TRADEMARK ATTRIBUTIONS

Copyright © 2017 Gigamon. All rights reserved. Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at www.gigamon.com/legal-trademarks. All other trademarks are the trademarks of their respective owners.

http://www.gigamon.com/legal-trademarks

http://www.gigamon.com/legal-trademarks


Table of Contents

Overview .......................................................................................................... 4

Audience .......................................................................................................... 5

Gigamon IPFIX Metadata Application for Splunk .............................................. 5

Requirements ........................................................................................................................................................ 5 Operational Flow .................................................................................................................................................. 6 Installing the Gigamon IPFIX Metadata Application for Splunk ............................................................................ 7 Configure the Gigamon IPFIX Metadata Application for Splunk ......................................................................... 10 Extending Splunk Stream to include Gigamon elements .................................................................................... 10 Configure Splunk Stream to collect Gigamon metadata ..................................................................................... 13 Setup the Gigamon IPFIX Metadata Application for Splunk ............................................................................... 19

Gigamon Adaptive Response Application for Splunk® ..................................... 22

Adaptive Response Alert Actions ........................................................................................................................ 22 Action Fields ........................................................................................................................................................ 22 Key Benefits ........................................................................................................................................................ 23 Requirements ...................................................................................................................................................... 23 Operational Flow ................................................................................................................................................ 23 Download and Install the Gigamon Adaptive Response Application for Splunk ................................................ 24 Configuring the Gigamon Adaptive Response Application for Splunk ................................................................ 26 Binding Gigamon Adaptive Response actions to Splunk ES ................................................................................ 28

Wire Data: Splunk Stream .............................................................................. 32

Installation and Configuration ............................................................................................................................ 32

IT Operations Management: Gigamon Visibility App for Splunk...................... 33

Key Benefits ........................................................................................................................................................ 33 Operational Ease of Use ...................................................................................................................................... 33 Reduced Mean Time to Resolution (MTTR) ........................................................................................................ 33 Requirements ...................................................................................................................................................... 34 Installing the Gigamon Visibility App for Splunk ................................................................................................. 34 Configuring the Gigamon Visibility App for Splunk ............................................................................................. 36

Summary ........................................................................................................ 45


This document describes the various ways to integrate Gigamon’s GigaSECURE® Security Delivery Platform with Splunk® Enterprise. Depending on the information you want to index within the Splunk platform and the functionality you want to enable, there are a number of integration approaches you may wish to adopt. This document describes the options and how to deploy each one.

Today’s Security Operations Center (SOC) depends heavily on the ability to collect, correlate and analyze network events to quickly identify and respond to security threats – but getting access to the right traffic data from across the network, and without overloading the system, can be a challenge.

Splunk Enterprise Security is a Security Information and Event Management (SIEM) solution that provides insight into machine data generated from a wide variety of sources. Of course, to fully utilize the power of this platform, users need to be able to help ensure that the right data from across their network is available – and can be easily indexed within the Splunk platform. This is where the GigaSECURE® Security Delivery Platform and Gigamon integrated applications for the Splunk solution come in.

▪ Integrate metadata generated by the GigaSECURE Security Delivery Platform using the Gigamon IPFIX Metadata Application for Splunk

▪ Automate threat hunting and remediation tasks across Splunk Enterprise Security, the Gigamon platform and other supported third-party security tools by leveraging the Splunk Adaptive Response framework with the Gigamon Adaptive Response Application for Splunk

▪ Integrate aggregated wire data delivered from the GigaSECURE Security Delivery Platform using Splunk Stream

▪ Integrate the workflow for IT Operations Management personnel using the Gigamon Visibility Application for Splunk.

Figure 1: Methods of integrating Gigamon GigaSECURE Security Delivery Platform with Splunk Enterprise


This guide is intended for users who have basic understanding of Splunk. This document expects users to be familiar with Splunk administration, installation of additional Splunk components, administrative permissions to restart services and edit configuration files.

This deployment guide covers installation and configuration of a single-instance deployment, where one Splunk Enterprise instance serves as both the search head and indexer running on Linux-based servers.

Metadata is data that provides information about other data. In a security context, this is especially useful because security appliances are looking for the “needle in the haystack”; that is, to identify the one single sequence of threat packets or flows from the entire mass of network flows.

A key benefit of metadata is minimizing the amount of data that has to be searched through which, in turn, reduces the time to detect suspicious threats and anomalous behavior. The GigaSECURE Security Delivery Platform is the ideal platform for generating this metadata because it taps the network and extracts the relevant information at high speeds with high fidelity. In doing so, there is no impact to the users, devices, applications, or network appliances. The generated metadata is packaged in IPFIX format and exported to the Splunk platform for further analysis.

The Gigamon IPFIX Metadata Application for Splunk utilizes Splunk Stream TM 1, a wire data collection and analytics solution from Splunk. Splunk Stream passively captures packets, dynamically detects applications, parses the protocols, and sends metadata back to the Indexer. Gigamon leverages Splunk Stream as a protocol parser.

There are a few prerequisites in order to have the Gigamon IPFIX Metadata Application for Splunk installed and configured. These are:

▪ Splunk Enterprise version 6.5.x, 6.6.x, or 7.0.x

▪ Splunk Stream versions 7.0.1, 7.1.0, or 7.1.1. You should install Splunk Stream before you start installing and configuring the Gigamon IPFIX app.

NOTE: The network card interface (NIC) associated with the IPFIX metadata collection should not be in promiscuous mode. Splunk Stream is being used as a protocol decoder in this configuration only.

▪ CIM version 4.8

▪ The Gigamon IPFIX Metadata Application for Splunk version 1.1.0 or newer

▪ Gigamon visibility node (such as the GigaVUE-HC1, HC2 or HC3) with a GigaSMART module and NetFlow license. Follow the instructions found in the GigaVUE-OS CLI User’s Guide to configure the visibility node to export metadata. Search the guide for “NetFlow Generation” to find the right section. Metadata generation and export can also be configured from GigaVUE-FM, the management and orchestration interface. You can read more in the GigaVUE-FM User’s Guide.

1 https://splunkbase.splunk.com/app/1809/


The operational flow of the Gigamon IPFIX Metadata Application for Splunk is as follow (Figure 2):

1. Traffic arrives into a Gigamon visibility node

2. The visibility node is configured to consume the traffic and generate metadata information. This

configuration includes records for the traffic of interest (DNS, SSL, HTTP, etc.). the visibility node is

a NetFlow/metadata exporter.

3. The Splunk Enterprise instance running the Gigamon IPFIX Metadata Application for Splunk is

setup as a collector, requiring it’s IP address and UDP port where the metadata will be sent to

4. The metadata, contained in IPFIX format, is sent to the Splunk server where it is extracted by rules

in Splunk Stream

5. Extracted data is then indexed according to the requirements set by customer

6. Presentation of the indexed data occurs either in the Search app or the Gigamon IPFIX Metadata

Application for Splunk, either using the prebuilt dashboards or custom dashboards created by the

customer

Figure 2: the Gigamon IPFIX Metadata Application for Splunk operational flow


Prior to installing the Gigamon IPFIX app, you should verify that Splunk Stream is installed. If it is not, follow the directions described in the Wire Data: Splunk Stream chapter below.

The installation steps below apply only to a single server deployment. For distributed deployments, please consult the README.md file included with this application.

To install the Gigamon IPFIX Metadata Application for Splunk, follow these steps:

1. Login to the Splunk server. You should be in the main page as shown in Figure 3:.

Figure 3: Splunk Enterprise main landing page

2. Verify Splunk Stream’s version by clicking on the gear icon right of the Apps label

a. The Apps information page opens, as shown in Figure 4.

b. The version should be 7.0.1, 7.1.0 or 7.1.1.

Figure 4: verifying Splunk Stream's software version

c. If it isn’t one of the supported versions, work with your Splunk administrators to update

the instance to a supported version,

3. Back on the main page, click the large + to add an application. If you can’t see it, scroll down the

page. See Figure 5


Figure 5: Adding a new Splunk application

d. The “Browse More Apps” page is displayed.

e. Search for “Gigamon” in the upper left search bar. You should see three applications.

f. Select the Gigamon IPFIX Metadata Application for Splunk (as shown in Figure 6) by

clicking the Install button.

Figure 6: Adding the Gigamon IPFIX Metadata Application for Splunk, found on Splunk Base

g. A login splash screen will ask for your Splunk login credentials to install the app.

h. Enter your credentials and accept the terms by checking the box at the bottom.

i. Once installed, you will need to restart the Splunk service as in Figure 7.

Figure 7: Restart Splunk services

4. Once service restarted, you will need to log back in.

a. Verify the Gigamon IPFIX Metadata Application for Splunk is installed

b. You should have a screen similar to the one shown in Figure 8


Figure 8: the Gigamon IPFIX Metadata Application for Splunk is installed and visible


Now that the Gigamon IPFIX Metadata Application for Splunk is installed, we need to configure it as well as Splunk Stream. We first start by extending Splunk Stream to listen to the appropriate IP address and UDP port and add specific Gigamon metadata elements to configuration files. To achieve that, you will modify several files. The Gigamon and Splunk Stream integration requires precise adherence to the instructions. Failure to do so may cause Splunk Stream to not collect the Gigamon IPFIX data appropriately.

The Gigamon and Splunk Stream Integration is an advanced configuration technique, designed to extend the protocol decoding abilities of Splunk Stream. As this feature relies on Splunk Stream, Splunk Stream is a requirement and must be installed on your Splunk server(s). Please see the instructions on how to install under the section titled Wire Data: Splunk Stream.

In this section, you will copy or modify several files to extend the base installation of Splunk Stream. These files reside in either the splunk_app_stream or Splunk_TA_stream directories.

Some files are found in only one location while others might be found in both. One file is streamfwd.conf. This file (found at Splunk_TA_stream/local/) lets you specify system-level

data capture parameters for the streamfwd binary. The other file is netflow (found at

splunk_app_stream/default/streams). This file defines the different NetFlow (and metadata)

elements Splunk Stream can parse.

Note that these aforementioned files are related to Splunk Stream. If your organization is already using Splunk Stream to collect and analyze stream-based (wire) data, these files most likely have been modified from their original version and you should take precautionary steps before you modify or over-right them.

The base location of the Gigamon-specific configuration files is $SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library.

$SPLUNK_HOME refers to the install location of Splunk (typically /opt/splunk).

1. Open a console or SSH session to the Splunk server.

2. Change directory to $SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library

3. Using a text editor (vim, emacs, etc.), open the file named gigamon_streamfwd.conf

a. In the top-most section titled [streamfwd] modify the first two lines to include your server’s IP

address and port. This is the IP address on the NIC receiving the Gigamon metadata.

b. netflowReceiver.0.ip = @@IP. Change @@IP with your Splunk server IP address listening

to incoming data.

c. netflowReceiver.0.port = @@PORT. Change @@PORT with the UDP port on which Gigamon

will transport metadata to this server. Typically, IPFIX is transported on UDP 2055.

d. Save the file

4. Copy the file gigamon_streamfwd.conf as streamfwd.conf to 2 locations:

a. $SPLUNK_HOME/etc/apps/splunk_app_stream/local/streamfwd.conf

b. $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/streamfwd.conf


5. While still in the

$SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library, copy the

Splunk Stream version-specific vocabulary file to two destination directories as gigamon.xml. The

files are:

▪ For Splunk Stream 7.0.1: gigamon_vocabulary_7.0.1.xml



Copy the appropriate file to the below directories:

a. $SPLUNK_HOME/etc/apps/splunk_app_stream/default/vocabularies/gigamon.xml

b. $SPLUNK_HOME/etc/apps/Splunk_TA_stream/default/vocabularies/gigamon.xml

6. If you installed and configured Splunk Stream specifically for the consumption and analysis of

Gigamon metadata elements you can follow the instructions in this step. If you already have

Splunk Stream installed and configured to ingest and process other types of wire data, follow the

instructions in step 7.

a. Backup the file netflow as netflow.bak located at

$SPLUNK_HOME/etc/apps/splunk_app_stream/default/streams, by moving it – mv netflow netflow.bak

b. Go back to

$SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library and

replacethe original netflow file with the gigamon_stream.json by issuing the following

command – cp gigamon_stream.json $SPLUNK_HOME/etc/apps/splunk_app_stream/default/streams/netflow

7. If you already have Splunk Stream installed and configured to ingest and process other types of

wire data, you need to follow carefully the instructions in this step. Here you will edit the existing

Splunk Stream elements file

($SPLUNK_HOME/etc/apps/splunk_app_stream/default/streams/netflow) and add to it all

the Gigamon custom stream decoder elements. This step is extremely sensitive, so you should

check your work before committing the changes. It is recommended to back up the original file

before you edit it with a text editor such that the you can visually inspect the changes. While still in

$SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library open the file

gigamon_stream.json.

a. Look for the first Gigamon element definition. You can find it in line 920 as shown in Figure 9.

Figure 9: the 1st Gigamon stream element as defined in the gigamon_stream.json file

b. Each element section starts with a left curly bracket ({) and ends with a right curly bracket

followed by comma (},).


c. Copy all the Gigamon elements from line 919 to the end of the file in line 1345, leaving the

last section (starting with the right bracket comma (],) out. See Figure 10 below.

Figure 10: the last Gigamon stream element (line 1339) as defined in the gigamon_stream.json file

d. Change directory to $SPLUNK_HOME/etc/apps/splunk_app_stream/default/streams.

e. Open the file named netflow and scroll down to the end of the file. You will see a section

starting with a right square bracket comma (],), as seen in Figure 11.

Figure 11: the netflow configuration file in Splunk Stream

f. Add a comma to the last right curly bracket (}, line 952 in Figure 11 above) before the right

square bracket comma (],) and paste the copied lines from step c above.

8. GigaSMART occasionally sends data elements encoded in ASN.1 to Stream. To avoid excessive

license usage, we will apply a fix in the props.conf configuration apply the following fix.

a. On the system indexing the Stream data (typically where splunk_app_stream is installed),

edit the $SPLUNK_HOME/etc/apps/splunk_app_stream/local/props.conf file.

b. For the stanza [stream:netflow], add this line of configuration:

SEDCMD-remove_nulls_gigamon = s/\\u0000//g.

If the stanza doesn't exist, create it.

c. This SEDCMD will remove any data that cannot be decoded correctly.

9. Restart Splunk manually and watch for any errors.

a. Execute $SPLUNK_HOME/bin/splunk restart


In this section, we will configure Splunk Stream to start collecting the Gigamon IPFIX metadata. You can find the complete documentation of Splunk Stream including its configuration at http://docs.splunk.com/Documentation/StreamApp/latest/User/ConfigureStreams. The instructions provided here use Splunk Stream 7.1.1 as the basis.

1. From Splunk’s main page, click on the STM Splunk Stream icon (Figure 12)

2. If this is the first time you launch Splunk Stream, a Welcome to Stream splash screen pops up.

You can skip it for now, or take the tour and come back to step 3.

Figure 12: Selecting the Splunk Stream (SMT) app

3. On the main Setup Stream page, make sure only the first box is checked, as seen in Figure 13,

and click the Let’s get started button. You may encounter an issue with permissions of

Splunk Stream during installation or configuration. If you encounter an error during the setup of the

new data stream, please see the Splunk Stream Installation and Configuration Manual

for your Splunk Stream version and look for a section titled Set Splunk_TA_stream permissions.

Figure 13: Splunk Stream - Setup Stream page

4. You are now in the Analytics Overview page. From the Splunk Stream navigation bar, select

Configuration Configure Streams (Figure 14).

http://docs.splunk.com/Documentation/StreamApp/latest/User/ConfigureStreams


Figure 14: Splunk Stream - Analytics Overview page

NOTE: There are many metadata streams. The default is 52 metadata streams, and no packet or ephemeral streams. If your organization uses Splunk Stream for other reasons than consuming Gigamon metadata information, you should consult your Splunk or Security teams.

5. You are presented with the Configure Stream page (Figure 15). Notice that some streams are

enabled, some set to estimate and others disabled. If Splunk Stream is used only to ingest and

report on Gigamon metadata elements, disable all the streams

Figure 15: Configure Streams page

a. Check the box left to Name (Figure 16, 1 below).

b. Click on the Disable option (Figure 16, 2 below).


Figure 16: Disabling all streams

c. A confirmation page will pop up. Click on Yes

d. You have disabled all streams (Figure 17) and ready to create a new one.

Figure 17: All streams are disabled

6. Still in the Configure Streams page, click the green New Stream button on the top right, and select

Metadata Stream (Figure 18).


Figure 18: Selecting the New Stream - Metadata Stream option

a. The New Metadata Stream page opens, and you are on the Basic Info section (Figure 19)

Figure 19: New Metadata Stream configuration page, Basic Info

b. Click on the Protocol button and select Netflow as in Figure 19

c. Give it a name and description (optional) and click Next (Figure 20)

Figure 20: Basic Info page with all configuration parameters selected

7. The Aggregation section is now visible in the New Metadata Stream page. Click Next to accept

the default of No. For more information on aggregation, consult the Splunk documentation here –

http://docs.splunk.com/Documentation/StreamApp/latest/User/ConfigureStreams#Aggregation_ty

pes

http://docs.splunk.com/Documentation/StreamApp/latest/User/ConfigureStreams#Aggregation_types

http://docs.splunk.com/Documentation/StreamApp/latest/User/ConfigureStreams#Aggregation_types


8. You are now in the Fields section of the New Metadata Stream. You can enable or disable the

different elements as needed, however for this document we will just enable all. Click Next once

verified. For more information, consult the Splunk documentation here –

http://docs.splunk.com/Documentation/StreamApp/latest/User/ConfigureStreams#Select_protocol

_fields

9. Click Next in the Filters section. For more information, consult the Splunk documentation here –

http://docs.splunk.com/Documentation/StreamApp/latest/User/ConfigureStreams#Create_new_filt

ers. The filters will help you limit the amount of data collected, reducing the license requirements.

10. In the Settings section, you will choose which index will hold the metadata information digested.

You can select any index shows in the Index drop down. If you need to create a new index file,

please consult the documentation –

http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Setupmultipleindexes.

Figure 21: Selecting the index to store Gigamon metadata

a. In this guide, we will select a previously created index named gigamon_metadata. Set the

Status to Enabled. See Figure 22 below.

Figure 22: New Metadata Stream Settings, index selected and enabled

b. Click Next

11. You are now in the Groups section. We are not using groups in this guide so you can just click the

Create Stream green button.

12. Click the green Done button

13. You are now on the Configure Metadata Stream – name of your newly created stream as in

Figure 23.

http://docs.splunk.com/Documentation/StreamApp/latest/User/ConfigureStreams#Create_new_filters

http://docs.splunk.com/Documentation/StreamApp/latest/User/ConfigureStreams#Create_new_filters

http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Setupmultipleindexes


Figure 23: creation of new metadata stream is complete

14. If you go back to the Configure Streams page, as in Figure 15 above, after a few minutes, you

will see that the spark chart displays traffic flow from decoding the incoming metadata traffic.

Figure 24 depicts all streams disabled with the exception of the newly created

Gigamon_IPFIX_Metadata and the spark chart to its right is showing the rate of incoming traffic.

If your spark chart is showing activity (as seen in Figure 24 below), you have successfully configured Splunk Stream with a new NetFlow stream and have it ingesting and decoding the Gigamon metadata. Remember that you should have a Gigamon visibility node transmitting IPFIX flow summaries to Splunk to see the traffic ingested.

Figure 24: Newly created metadata stream shows traffic is recieved and ingested


Now that Splunk Stream is configured and ingesting the Gigamon metadata, we need to complete the setup of the Gigamon IPFIX Metadata Application for Splunk.

1. In Splunk’s main page (Figure 8 above) select the Gigamon IPFIX Metadata Application for

Splunk. Since this is the first time we’re launching it, an App configuration page opens. Click

on the Continue to app setup page as in Figure 25.

Figure 25: When accessing the Gigamon IPFIX app for first time, users are presented this page

2. The Application Configuration page is loaded, show in Figure 26.

a. In the Base Event Type box, enter the name of the index where the Gigamon metadata is

kept. Change index=main to your index name.

Figure 26: Updating the Base Event Type field to the proper index file name

b. Click on the green Update Eventtype button to accept your changes

c. Click on the Save button at the bottom of the page

3. Start using the Gigamon IPFIX Metadata Application for Splunk by selecting the IPFIX Overview

tab as in Figure 27


Figure 27: The Gigamon IPFIX Metadata Application for Splunk main dashboard

Metadata information can be used to find diverse types of activities in one’s network. Splunk is extremely adept at displaying indexed data in different methods. You can always create new queries and have them visualized as shown in Figure 28 and Figure 29.

Figure 28: Custom DNS dashboard using Gigamon's metadata elements


Figure 29: Custom HTTP return code dashboard using Gigamon's metadata elements

In fact, given the standard operating procedures of each security operations center are unique, one is better off creating the unique dashboards that apply to their practices. The power of the application is in exhibiting the different elements generated by Gigamon’s metadata engine and provide guidance in creating searches and queries.


Splunk Adaptive Response helps organizations better combat advanced attacks through a unified defense by leveraging end-to-end context and automated responses to events. Advanced cyber adversaries are continuously leveraging new attack methods that span multiple domains, launching devastating attacks that often leave enterprises vulnerable. Despite advancements in security technologies, most solutions are not designed to work together out-of-the-box, making it challenging to coordinate a response. By leveraging adaptive security architecture, the Adaptive Response framework in Splunk Enterprise Security Suite provides end-to-end context and automated response across many of the world’s leading security technologies – enabling customers to quickly detect threats and execute response.

The Gigamon Adaptive Response Application for Splunk provides Splunk Enterprise administrators with Alert Actions applied on Gigamon Visibility Nodes via GigaVUE® Fabric Manager (GigaVUE-FM®). These actions are bound to correlation searches on Splunk Enterprise Security Suite for automated response or executed ad-hoc when Notable events are found.

The Gigamon Adaptive Response Application currently supports three actions:

1. Drop traffic

This action adds a single drop rule on the GigaVUE visibility node which drops traffic based on the action field selected (see below). This action is typically used when GigaVUE visibility node is placed inline in the network and can act as a policy enforcer.

2. Monitor traffic

This action adds a rule to an existing flow map on the GigaVUE visibility node to send a copy of the traffic in question to an out-of-band tool. This action is typically used when the administrator wants to sandbox the anomalous traffic for further analysis. These tools can be honeypots, detonation chambers, packet recorders and many more.

3. Send an email alert

This action sends a mail alert to a predefined user when an anomaly is detected. This action is typically used to notify a system administrator when anomalies are identified using Splunk’s ES correlation searches executed on traffic exported by Gigamon.

Rules added to GigaVUE visibility nodes by the DROP and MONITOR actions can be further controlled using the Action Field parameter. Below is the list of options available in the application.

1. Source IP address

The source IP will be taken from the Splunk event and a rule will be added to the visibility node to drop or send a copy of the specified traffic to the desired tool. For instance, a client querying a malicious URL can be blocked or activity from the client can be monitored and analyzed.

2. Destination IP address

The destination IP will be taken from the Splunk event and a rule will be added to the visibility node to drop or send a copy of the specified traffic to the desired tool. For instance, an identified C2 server can be blocked or activity from that server can be sent to a tool to be monitored and analyzed.


3. Destination service

The destination IP and L4 port are taken from the Splunk event and a rule is added to the visibility node to drop or send a copy of the specified traffic to the desired tool. For instance, a rogue DNS server identified can be blocked or activity from that server can be monitored and analyzed.

4. Transaction

Source IP, Destination IP and destination L4 port are selected from the Splunk event and a rule is added to the visibility node to drop or send a copy of the specified traffic to the desired tool. For instance, a DNS tunneling attempt can be blocked or traffic can be sent to tool for further analysis.

Leveraging Splunk’s AR framework, one can create automated, preconfigured actions within the Splunk platform or external applications such as GigaVUE-FM. These actions can be automatically triggered by correlating search results or manually run on an ad hoc basis from the Incident Review dashboard. You can also create one or more correlation searches designed to alert on the results of a custom response action and trigger another action. In this way, you can create logical chains of actions that evaluate the results of one action and dynamically react with additional actions or recommendations. The integration relies on Splunk’s Common Action Model and Python scripting.

There are a few prerequisites in order to have the Gigamon AR app installed and configured. These are:

▪ Splunk Enterprise version 6.5.x or 6.6.x

▪ Splunk Enterprise Security (ES) Suite

▪ Gigamon GigaVUE-FM

▪ CIM version 4.8

▪ Any Gigamon visibility nodes

▪ Splunk Stream is the recommended method for data ingestion. One can choose other methods to ingest data, but must ensure that the src_ip, dest_ip,

src_port, and dest_port fields are present in the raw data. For instance, if using

Splunk’s add-on for IPFIX (https://splunkbase.splunk.com/app/1801/), you may need to create aliases for the above-mentioned fields (i.e. alias SourceIPV4Address as

src_ip). The Gigamon AR app processes these four fields found in the raw data to

execute any action. If these fields are not present the scripts will not execute.

The overall onboarding and provisioning process includes several steps. This guide assumes that the customer has already a functional installation of Splunk Enterprise Security Suite (Splunk ES). The steps to follow are:

1. Download and install the Gigamon Adaptive Response Application for Splunk

2. Configure the Gigamon Adaptive Response Application for Splunk.

3. Bind Gigamon Adaptive Response actions to Splunk ES

https://splunkbase.splunk.com/app/1801/


These next sections will guide you through each step.

Prior to installing the Gigamon Adaptive Response Application for Splunk, ensure that both Splunk Enterprise and Enterprise Security Suite are installed and configured properly. Refer to the below guides for installing the app on a single server - https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall or a distributed installation - https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall.

Prior to installing the Gigamon AR app, you should verify that there is a data ingestion method – either Splunk Stream or some other method. To verify that Splunk Stream is installed, follow the steps outlined in the section titled Installing the Gigamon IPFIX Metadata Application for Splunk, specifically step 1 and 2.

Note: Splunk Stream is not mandatory as the ingestion engine. However, if you are using some other stream ingestion mechanism, you should ensure that the fields src_ip, dest_ip,

src_port, and dest_port are present in the record. This exact nomenclature must be followed

closely otherwise the AR actions will throw errors. For instance, if you are using the legacy Splunk

Add-on for IPFIX (https://splunkbase.splunk.com/app/1801/), you will find that src_ip is

identified as SrcIPv4Address. You will need to define an alias to convert SrcIPv4Address to

src_ip as well as the other fields.

To install the Gigamon Adaptive Response Application for Splunk, follow these steps:

1. Log in into your Splunk instance

2. On the main page, click the large + to add an application. If you can’t see it, scroll down the page.

See Figure 30


a. The “Browse More Apps” page is displayed.

b. Search for “Gigamon” in the upper left search bar. You should see three applications.

c. Select the Gigamon Adaptive Response Application for Splunk (as shown in Figure 31)

by clicking the Install button.

https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall

https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall


Figure 31: Gigamon Adaptive Response Application for Splunk

d. A login splash screen will ask for your Splunk login credentials to install the app.

e. Enter your credentials and accept the terms by checking the box at the bottom.

f. Once installed, you will need to restart the Splunk service as in Figure 32.

Figure 32: Restart Splunk services

3. Once service restarted, you will need to log back in.

a. Verify the Gigamon Adaptive Response Application for Splunk is installed

b. You should have a screen similar to the one shown in Figure 33 below.

Figure 33: Gigamon Adaptive Response Application for Splunk installed


Now that the Gigamon Adaptive Response Application for Splunk is installed, we need to complete its setup. The Gigamon Adaptive Response Application for Splunk operates on a single node or cluster.

In this section, we will configure logging level of the app, connect it with GigaVUE-FM, and set alert actions up.

1. In Splunk’s main page (Figure 33 above) select the Gigamon Adaptive Response Application for

Splunk. Since this is the first time we’re launching it, an App configuration page opens. Click on

the Continue to app setup page as in Figure 34 below.

Figure 34: Gigamon AR app configuration page

2. The End User License Agreement page displays and you have to accept the terms of the EULA

to continue.

a. Scroll to the bottom of the page and check the box stating “I agree to be bound by this EULA”

b. Click the green Save button on the right

3. The Configuration page opens

a. On the Logging tab, set the desired logging level as shown in Figure 35.

Figure 35: Gigamon Adaptive Response Application for Splunk - Configuration page, Logging tab

b. Click the green Save button

4. Click on the Add-on Settings tab – refer to Figure 36 below.


Figure 36: Gigamon Adaptive Response Application for Splunk - Configuration page, Add-on Settings tab

a. Enter the GigaVUE-FM IP address in box 1

b. Provide the GigaVUE-FM username in box 2 and the password in box 3. This user should

have map editing privileges to the maps configured in boxes 5, 6, and 7.

c. The maps entered in boxes 5-7 are referred to when configuring an adaptive response in

Splunk ES using either built-in or user-created correlation searches. When a correlation

search returns a valid match, the value – IP address, URL, etc. – are then used to modify the

maps.

d. Inline Network Map (box 5) – this is the inline network map to which a rule will be added to

drop malicious or anomalous traffic.

e. IPFIX Map (box 6) – this is the map generating Gigamon IPFIX/Metadata data feeding Splunk

or any other NetFlow collector. A drop rule is added to the map to remove specific traffic from

being generated and sent to the collectors.

f. Out-of-band Tool Map (box 7) – this is the map used to pass traffic to a tool. A pass rule is

added to the map and traffic of interest is then sent to an out-of-band tool such as a sandbox,

honeypot, detonation chamber, and many others.

g. Lastly, enter the username and corresponding password to send email alerts when the Alert

Action is set to “Send an Email Alert”

5. Now that the Gigamon Adaptive Response Application is installed and configured we can bind its

actions to Splunk ES pre-existing or new correlation searches.


In this section, we will take the final steps to operationalize Splunk ES with Gigamon Adaptive Response actions. Recall the actions are either to block traffic, send traffic to a monitoring tool or send an alert email.


2. Among the applications installed, you should see Enterprise Security (ES) as shown in Figure 37.

Figure 37: selecting Splunk Enterprise Security for further configuration of Gigamon Adaptive Response actions

3. Once in ES, select the Configure Content Management from the application menu bar (Figure 38Error! Reference source not found.)

Figure 38: ES Configure - Content Management menu bar

4. You are presented with Enterprise Security’s application specific search objects such as correlation searches, key indicators, reports and more. The Gigamon Adaptive Response Application only binds to correlation searches – whether preexisting or custom/user created.


In this guide, we will select any of the preexisting correlation searches. Figure 39 shows a small sample of existing correlation searches.

5. Select any of the correlation searches – this guide will use the “Brute Force Access Behavior Detected” correlation search as example (Figure 39).

Figure 39: ES search objects, sorted by type

6. Clicking on the correlation search will open the Edit Correlation Page, as shown in Figure 40. The

search statement is also visible.

Figure 40: Edit Correlation Search, top of page

7. If you scroll all the to the bottom of the page, you will see the Adaptive Response Actions section

(Figure 41).


Figure 41: Edit Correlation Search, bottom of page

8. Click on the + Add New Response Action link and a splash window with the available actions is

visible as shown in Figure 42. Select the GigaVUE FM Actions.

Figure 42: Add New Response Action page with the Gigamon option visible

9. A new GigaVUE FM Actions page is now visible as shown in Figure 43.

Figure 43: GigaVUE FM Actions page


10. At this point, select the desired action (Figure 44) and action field (Figure 45). Make sure to enter a

valid recipient email address in the case you have selected the “send an email alert” as your

action.

Figure 44: Gigamon AR Application action options

Figure 45: Gigamon AR Application action field options

11. Given that the correlation search is looking for the source of both excessive number of failed login

attempts, as well as successful ones, we will use the Source IP as the action field. We can choose

to either block (drop) the source’s traffic if the Gigamon Visibility node is inline, send the traffic to a

monitoring tool, or just send an email notifying the search found a match.


Splunk Stream™ is a scalable and easy-to-configure software solution that captures real-time streaming wire data from anywhere in a datacenter or from any public cloud infrastructure. Splunk Stream allows security and IT engineers to ingest, process, and analyze wire data (that is, packet data gathered from the network) directly into Splunk Enterprise. Wire data enriches the existing data by adding context to events, isolating current threats and is an important way to do detailed analysis, especially when complemented by metadata. The process of collecting wire data across anywhere in the infrastructure and delivering the wire data into the Splunk platform can be optimized for efficiency, when the Gigamon GigaSECURE Security Delivery Platform is deployed in conjunction with the Splunk platform.

The Gigamon solution aggregates wire data from networks operating at any speed (100Mb to 100Gb), virtual infrastructures (workloads running on VMware ESXi, KVM/OpenStack, AWS or Azure), emerging SDN infrastructures (for example, Cisco ACI and VMware NSX), and even traffic from remote sites. Using user-defined rules, only the relevant data is filtered, thereby simplifying the handling of massive volumes of wire data for analytics with fine-grained precision.

To narrow the amount of data and increase Splunk efficacy, traffic intelligence applications can be enabled inside the Gigamon fabric using GigaSMART® technology. One such example is Application Session Filtering (ASF) that provides a powerful filtering engine to identify applications based on signatures or patterns that can appear across any part of the packet payload. ASF provides a way to search wire data for specific patterns at very high rates. These patterns can be as simple as a static string at a user-configured offset or as complex as an extremely advanced Perl Compatible Regular Expression (PCRE) at a variable offset. The GigaSMART technology supports in addition to ASF other applications such as packet de-duplication, SSL decryption, header removal, packet slicing, and more to optimize traffic before delivering the data to tools such as Splunk.

With the combined solution, a complete yet customized set of aggregate data can then be rapidly forwarded to Splunk to gain real time network visibility from anywhere in the infrastructure.

1. A detailed installation and configuration guide for Splunk Stream is available on Splunk’s website

at https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/SetupStream

2. Configure a Flow Map on a Gigamon Visibility node to direct raw packets to the Splunk server.

3. Additional optimization can be done by configuring GigaSMART operations (e.g. de-duplication,

SSL decryption, Application Session Filtering etc.) to optimize the amount of data sent to Splunk.

This optimization enables administrators to focus on the streams to index within Splunk.

The Network Interface Card (NIC) associated with the NetFlow collection should not be in promiscuous mode. Stream is being used as a protocol decoder in this configuration only.

https://www.gigamon.com/products/technology/application-session-filtering

https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/SetupStream


The Gigamon Visibility App for Splunk (Visibility app) allows Splunk® Enterprise users and operations teams to collect, store, visualize, and analyze inventory and traffic policy statistics from the Gigamon GigaSECURE Security Delivery Platform. The FlowMaps Explorer helps the Splunk Administrator to visualize and trend the traffic policies that are configured within the Security Delivery Platform. This app sources the data through open RESTful APIs from GigaVUE-FM and allows for first-level visibility and troubleshooting of infrastructure within Splunk.

The key benefits of Gigamon Visibility App for Splunk is in operational ease of use and MTTR.

Using the Gigamon Visibility App for Splunk enables the administrator to monitor information presented by the GigaSECURE Security Delivery Platform in the context of other information presented within the Splunk user experience. The combination enables single-pane monitoring from the Splunk platform (Figure 46). The Gigamon Visibility App for Splunk presents critical information, such as:

▪ Fabric health status, including a complete inventory of the nodes and ports that are available.

▪ Top and bottom port stats.

▪ GigaSMART statistics for traffic intelligence applications enabled within the Gigamon fabric.

▪ Top conversations and applications seen in the Gigamon fabric

▪ Chord view allows quick identification of sources and destinations of specific traffic streams (see Figure 47).

Figure 46: Gigamon Visibility App for Splunk: Dashboard

The application provides first-level visibility, troubleshooting, and root-cause analysis of infrastructure within the Splunk platform. For example, using the information gathered from the Gigamon Visibility App, an administrator can quickly identify source, location, and traffic policy of


the application or host that triggered a KPI alert.

Figure 47: FlowMaps Explorer quickly identify sources and destination of traffic streams

There are a few prerequisites in order to have the Visibility app installed and configured. These are:

▪ Splunk Enterprise version 6.5.x, 6.6.x or 7.0.x

▪ Gigamon GigaVUE-FM

▪ Any Gigamon visibility nodes

To install the application, follow these steps:


2. On the main page, click the large + to add an application. If you can’t see it, scroll down the page.

See Figure 48 below.



a. The “Browse More Apps” page is displayed.

b. Search for “Gigamon” in the upper left search bar. You should see three applications.

c. Select the Gigamon Visibility App for Splunk (as shown in Figure 49) by clicking the

Install button.

Figure 49: Installing the Gigamon Visibility App for Splunk

d. A login splash screen will ask for your Splunk login credentials to install the app.

e. Enter your credentials and accept the terms by checking the box at the bottom.

f. Once installed, you will need to restart the Splunk service as in Figure 50.

Figure 50:Restart Splunk services


3. Once service restarted, you will need to log back in and verify the Gigamon Visibility App for

Splunk is installed

a. You should have a screen similar to the one shown in Figure 51 below.Figure 8

Figure 51: Gigamon Visibility App for Splunk installed

Now that the Gigamon Visibility App for Splunk is installed, we need to complete its setup.

In this section, we will connect with a GigaVUE-FM host and generate the lookups so the app can display data.

1. In Splunk’s main page (Figure 51 above) select the Gigamon Visibility App for Splunk. Since this is

the first time we’re launching it, an App configuration page opens. Click on the Continue to app

setup page as in Figure 52 below.

Figure 52: Gigamon Visibility app configuration page

2. The End User License Agreement page displays and you must accept the terms of the EULA to

continue.

a. Scroll to the bottom of the page and check the box stating “I agree to be bound by this EULA”

b. Click the green Save button on the right

3. You are presented with the application main page – Overview (Figure 53). No data is showing in

any of the graphs and that is expected as the app is not connected to GigaVUE-FM yet.


Figure 53: Gigamon Visibility App - Overview page

4. Click on the Administration Configuration tab as in Figure 54.

Figure 54: The Configuration tab under Administration

5. A submenu open when you click on Configuration

a. Select the GigaVUE-FM option

Figure 55: select GigaVUE-FM from the administration configuration tab

6. The Configure GigaVUE-FM hosts page opens, and you are on the Add GigaVUE-FM tab, as

shown in Figure 56:


Figure 56: Configure GigaVUE-FM Hosts page

a. Enter the IP address or fully qualified domain name of you GigaVUE-FM host in box 1

b. Enter the GigaVUE-FM username and password in boxes 2 and 3 respectively. The user

needs to have administrative rights.

c. Select the time interval the Visibility App for Splunk will query the GigaVUE-FM. These

queries are carried over the RESTful API. The interval can be set as low as 30 seconds and

as high as 3600 seconds (one hour).

d. Next, select which element information the app will query for in box 5.

e. Lastly, select the version of GigaVUE-FM in box 6. If you are running GigaVUE-FM version

3.3 or above select the bottom radio button marked as 3.3.X and Above.

f. Once all information is entered, click the green Add GigaVUE-FM button

g. After adding the GigaVUE-FM information, you should restart Splunk. From the top menu,

select Settings Server Controls and click the green Restart Splunk button.

h. If you made a mistake, you can delete the GigaVUE-FM host clicking the Delete GigaVUE-

FM tab.

The Gigamon Visibility App for Splunk can support multiple GigaVUE-FM hosts. To add more, repeat steps a-f above.

7. Click on the orange banner at the top of the page, select Administration Configuration

Generate Lookups as shown in Figure 57. The page refreshes and takes you to the Generate

Lookups page.

Figure 57: Configuration page, Administration Configuration Generate Lookups

8. One must repeat step 7 above each time a new GigaVUE-FM is added to the Visibility app. Once

Lookups are generated (Figure 58), you can start using the app.


Figure 58: Gigamon Visibility App for Splunk, Generate Lookups page

9. You can explore the different charts by selecting any of the top orange banner menu options:

a. Overview – general information about nodes, software distribution, port utilization, and more

as shown in Figure 46 above.

b. Health –

i. Obtain connected GigaVUE-FM information

ii. Nodes and clusters information

iii. GigaSMART information and statistics

c. Trending – single port or map statistics and information

d. Exploration –

i. FlowMaps Explorer – an aggregate information on all maps seen by GigaVUE-FM,

with ability to filter down to a specific node/cluster, map, or map type

ii. Syslog Explorer – enables you to hone on specific syslog hosts and events

Note – GigaVUE-FM does not send syslog information of individual visibility nodes without

configuring the nodes to send syslog data to Splunk.

10. To populate syslog data in Splunk and have the syslog explorer functional please follow the next

step to configure a visibility node to send syslog data.

a. Log in to GigaVUE-FM and select the node of interest.

b. In the node’s dashboard, select Settings Global Settings Logging (Figure 59)


Figure 59: A visibility node's Settings page

c. Click the Add button (Figure 60)

Figure 60: The Logging page where syslog sinks are added

d. In the Add Logging Settings, select UDP as the Logging Protocol, add the Splunk IP or FQDN

and set the logging level as seen in Figure 61

Figure 61: Adding a syslog destination server information

e. Repeat steps a – d above for each visibility node you want to send its syslog to Splunk.


11. Now that we are sending syslog data to Splunk, we need to add a syslog data input in Splunk.

This step may be skipped if Splunk already consumes syslog.

a. In Splunk, select Settings Data Inputs (Figure 62)

Figure 62: Selecting Settings – Data Inputs in Splunk Enterprise

b. In the Data Inputs page, select the UDP option (Figure 63)

Figure 63: Data Inputs page, selecting UDP from the Local Inputs option

c. A new screen opens, titled UDP as in Figure 64. Click the New button.

Figure 64: the UDP page of the Data Inputs option

d. The Add Data page opens. Here, we add a UDP service for which Splunk will be listening for.

Follow Figure 65 to select UDP (1), enter the port on which syslog is transported (default is

514, however many systems including GigaVUE-OS, allow users to select a different port) in

box 2. Lastly click the Next button.


Figure 65: The Add Data page

e. The Input Settings page opens as in Figure 66. In the Source type make sure to click the

Select button (1). Next click on the drop-down menu to select a source type (2) and scroll

down to Operating System (3). Lastly, scroll down on the sidebar until you see syslog (4)

and select it.

Figure 66: Input Settings page where we define additional parameters of the UDP flow

f. Next, we select the App Context drop down as in Figure 67 below. Scroll down until you see

the Gigamon Visibility App For Splunk (GigamonForSplunk) and select it.


Figure 67: Input Settings, selecting the App Context for the new data source

g. In the Host option, you can select IP or DNS as the method (1) as shown in Figure 68. You

can click on the Learn More link to get more information.

Figure 68: Input Settings, setting the Host Method

h. A summary page, titled Review is now visible (Figure 69). Review the new data source and if

all looks good click the Submit button.


Figure 69: Add Data Review page

i. Now that we have syslog data sent from a visibility node and we have configured the syslog

data input on Splunk we can turn to the Gigamon Visibility App for Splunk Exploration

Syslog Explorer menu to see visualization of the syslog data as shown in Figure 70.

Figure 70: Gigamon Visibility App for Splunk, populated Syslog Explorer dashboard


This document described the different integrations methods available between Splunk Enterprise and Gigamon’s GigaSECURE security delivery platform. Whether leveraging metadata or wire data Splunk users can benefit by gaining increased non-intrusive visibility into the infrastructure. Adding Gigamon’s Adaptive Response Application for Splunk provides a mechanism to execute preconfigured actions on the visibility nodes or the Splunk platform to block, isolate or further query a suspect actor within the network.

Lastly, the Gigamon Visibility Application for Splunk can also be leveraged by IT Operations Management to integrate workflows, monitor nodes’ health and review operational status.


See Inside Your NetworkTM

4053-04 1/18

Documents

Deployment Guide: Integrating Gigamon Technologies … · Deployment Guide: Gigamon and Splunk 5 This guide is intended for users who have basic understanding of Splunk. This document