User Guide

V1.0

SECUI MFI App for Splunk

2

Table of Contents

Notice.............................................................................................................. 5

Preface............................................................................................................ 7

About This Document ...............................................................................................................7

Before You Use ........................................................................................................................7

Intended Readers of This Manual ............................................................................................7

Marking Rules...........................................................................................................................8

Organization of this manual......................................................................................................8

Introduction.................................................................................................... 9

SECUI MFI App for Splunk.....................................................................................................10

SECUI MFI .............................................................................................................................11

Configuration ............................................................................................... 13

System Requirement ..............................................................................................................14

Dependency ...........................................................................................................................15

Install from Splunk........................................................................................................................................15

Install from Splunkbase................................................................................................................................15

Installation and Settings ............................................................................. 17

Installation Splunk ..................................................................................................................18

Log Reception Settings ..........................................................................................................19

SECUI MFI Settings ...............................................................................................................21

Index ............................................................................................................. 23

SECUI MFI App for Splunk 3

4

Notice

Copyright

SECUI owns the copyright and intellectual property of this manual. These rights are protected by

the copyright laws and international copyright agreements. Therefore, no part or whole of this

manual may be copied, reproduced or published in any form or by any means, without the prior

written consent of SECUI. These actions are in conflict with those laws and agreements.

Content

The photos contained in this manual may be different from the actual appearance of the product

depending on product version and how the operation is performed. The specifications and photos

contained in this manual are based on the latest materials available when it was written. But they

are subject to change without notice due to performance enhancements and functional improve-

ments.

SECUI is not liable for direct, indirect, special, accidental, consequential and other damage or loss

of property due to your use of the information contained in this manual or due to the errors in this

manual, even if you use the product according to the direction of this manual.

Trademarks

Windows OS is the registered trademarks of their respective companies and protected by the copy-

right laws. The trademarks of other companies and the terms which are protected by the copyright

laws mentioned in this manual are used for reference only.

Contact

Phone : +82.(0)2.3783.6600

Fax : +82.(0)2.3783.6499

Address: (04631)SECUI 5th-7th Fl. Prime Tower, 48 Sogong-ro, Jung-gu, Seoul, Korea

E-mail: tech.csc@secui.com

Website: http://www.secui.com

Document Information

Part Number: 04-92-10000-10000-161102

Release Date: 2016-11-02

SECUI MFI App for Splunk

Copyright SECUI All rights reserved.

SECUI MFI App for Splunk

6 SECUI MFI App for Splunk

About This Document

Preface

About This Document

This document is an Admin’s manual described for the purpose of understanding the overall system

and concept for managing SECUI MFI App for Splunk.

SECUI MFI App for Splunk sets the main purpose as security and control while showing difference

in method and usage from the existing internet configuration system.

In order to manage SECUI MFI App for Splunk, various types of knowledge related to the basic

control of SECUI MFI App for Splunk, details on each functions and security.

Before You Use

• Make sure you read through this guide before using your product so that you can use it correctly.

• After reading this guide, keep it in a safe place.

• This manual assumes that the reader is an operator who has basic knowledge of the network, information security, and the use of the operating system.

Please take precaution so that the guide can be viewed by only security administrators or several administrators performing related tasks. A special precaution is required because there is danger of being misused for hacking purposes by acquiring internal information of system if the guide is viewed by a malicious administrators.

Intended Readers of This Manual

This guide provides the security administrators who use MF2 in their systems with the information

on how to use it. To understand this manual, you need to already have the basic knowledge of

network theory, information security, IP networking technology, and related subjects.

SECUI MFI App for Splunk Preface 7

Marking Rules

Marking Rules

The marking rules prescribed as follows are used in this manual.

This explains all of the functions of the product and it may not be consistent with the available functions depending on your purchase options.

Organization of this manual

Chapter1. Introduction

This chapter introduces the overview and features of SECUI MFI App for Splunk.

Chapter2. Configuration

This chapter explains the configuration required to use SECUI MFI App for Splunk.

Chapter3. Installation and Settings

This chapter explains SECUI MFI App for Splunk describes with how to install the required settings.

Marking Rules Description

Bold Font Indicates menu, screen name, tab name, field name and button name.

Close Bracket (>) Shows movement order of menu.

Brackets (< >) Indicates the keyboard keys such as <Ctrl>, <Alt>, and <Shift>.

(Notice)NOTICE represents important information for using the product.

(Caution)CAUTION represents information that should be given special care to prevent data loss, hardware damage, security threats, etc.

8 Preface SECUI MFI App for Splunk

Chatper 1

Introduction

This chapter introduces the overview and features of SECUI MFI App for Splunk.

SECUI MFI App for Splunk Introduction 9

SECUI MFI App for Splunk

SECUI MFI App for Splunk

SECUI MFI App for Splunk provides various views to easily analyze IPS logs detected by SECUI

MFI Appliance in Splunk.

This App offers real-time threat dashboards, threat analytics (attack analytics, attacker analytics,

victim analytics, detail analytics), and traffic dashboards.

• Threat Dashboard

Check recently detected threat information in real time. • Attack Analytics

Top information analysis on attack name progress and attack name. • Attacker Analytics

Top information analysis on attacker progress and attacker. • Victim Analytics

Top information analysis on victim progress and victim. • Detail Analytics

Attack flow analysis through progress of attacks and Sankey Chart. Top analysis for each item. • Traffic Dashboard

Top traffic analysis of traffic progress and each item. • Search

Log search.

10 Introduction SECUI MFI App for Splunk

SECUI MFI

SECUI MFI

SECUI MFI is installed as a transparent bridge that does not affect network composition, and it is

an intrusion prevention system that detects and blocks invasion and attack of network traffic that

flow from the outside to inside in real time.

SECUI MFI executes intrusion detection/defense for all packets, and safely protects information

assets and resources of internal networks from DDoS attacks, Flooding attacks, and Smurf attacks.

SECUI MFI App for Splunk Introduction 11

12

Chatper 2

Configuration

This chapter explains the configuration required to use SECUI MFI App for Splunk.

SECUI MFI App for Splunk Configuration 13

System Requirement

System Requirement

The system of conditions for using SECUI MFI App for Splunk as follows:

System System Requirement

Splunk Version Splunk Enterprise version 6.5 or higher

OS Linux

SECUI MFI Version SECUI MFI V4.0.1 or higher

14 Configuration SECUI MFI App for Splunk

Dependency

Dependency

SECUI MFI App for Splunk has dependency on Sankey Diagram and Heatmap from the Splunk

App (application, hereinafter app).

It can be searched from Splunk’s Find More Apps or the app can be downloaded from splunkbase

to install.

Install from Splunk

Sankey Diagram

1. Go to the Splunk > Apps > Find More Apps menu. 2. Search Sankey Diagram. 3. Install the Sankey Diagram - Custom Visualization app.

Heatmap

1. Go to the Splunk > Apps > Find More Apps menu. 2. Search Heatmap. 3. Install Heatmap - Custom Visualization app.

Install from Splunkbase

Depending on the Splunk version being used, Sankey Diagram or Heatmap might not be searched

from Find More Apps. At this time, download and install the installation file from splunkbase.

Sankey Diagram - Custom Visualization

1. Go to https://splunkbase.splunk.com/app/3112/. 2. Click on the Download button to download installation file. 3. Go to splunk > Apps > Manage Apps menu. 4. Select Install app from file. 5. Click on the Browse button to select the downloaded installation file. 6. Click on the Upload button to install.

Heatmap - Custom Visualization

1. Go to https://splunkbase.splunk.com/app/3159/. 2. Click on the Download button to download installation file. 3. Go to splunk > Apps > Manage Apps menu. 4. Select Install app from file. 5. Click on the Browse button to select the downloaded installation file. 6. Click on the Upload button to install.

SECUI MFI App for Splunk Configuration 15

16

Chatper 3

Installation and Settings

This chapter explains SECUI MFI App for Splunk describes with how to install the required settings.

SECUI MFI App for Splunk Installation and Settings 17

Installation Splunk

Installation Splunk

1. Log in to Splunk web UI. 2. Click on the Manage Apps icon as shown below.

3. Click on the Install app from file button.

4. Click on the Browse button to select SECUI MFI App for Splunk and then click on the Upload button.

5. Once installation is complete, go to the Settings > Server Contols menu and click on Restart Splunk to restart Splunk.

18 Installation and Settings SECUI MFI App for Splunk

Log Reception Settings

Log Reception Settings

Set the UDP port number to receive syslog from SECUI MFI.

1. Log in to Splunk web UI. 2. Select Settings > Data inputs menu. 3. Click Add new in UDP.

4. Enter UDP port number to be opened. (Ex.: 514)

Enter corresponding port number when setting syslog in SECUI MFI.

SECUI MFI App for Splunk Installation and Settings 19

Log Reception Settings

5. For Source type, select Network & Security > secui:log, and select SECUI MFI App for Splunk for App context and click on the Review button.

6. Check Review contents and click on the Submit button.

20 Installation and Settings SECUI MFI App for Splunk

SECUI MFI Settings

SECUI MFI Settings

To send log to Splunk server, syslog settings and log settings must be completed in SECUI MFI.

Syslog Settings

1. Activate web browser and log in to SECUI MFI. 2. Select the System > Log Environment > Syslog Settings menu. 3. Set syslog to transmit log to Splunk.

4. Click on the Apply button to apply settings.

Log Settings

Set the log type to be transmitted to Syslog.

1. Select the System > Log Environment > Log Settings menu. 2. Select log to be transmitted to the server set in Syslog settings as shown below. (Ex.: Server 1)

Check all folders of IPS/DDoS Log and Traffic Log (all settings will be checked) to select.

Item Description

Enable Check to activate for Syslog settings.

Server IP(Domain) Enter IP address where Splunk is installed and enter UDP port number (Ex.: 514) set in Splunk.

Format Select ArcSight format.

SECUI MFI App for Splunk Installation and Settings 21

SECUI MFI Settings

3. Click on the Apply button to apply settings.

22 Installation and Settings SECUI MFI App for Splunk

Index

AAttack Analytics 10

Attacker Analytics 10

DData inputs 19

Detail Analytics 10

IInstall app from file 18

Intrusion Prevention System 11

LLog Settings 21

RRestart Splunk 18

SSearch 10

SECUI MFI 11

SECUI MFI App for Splunk 10

Server Controls 18

SplunkHeatmap 15Sankey Diagram 15

SplunkbaseHeatmap - Custom Visualization 15Sankey Diagram - Custom Visualization 15

TThreat Dashboard 10

Traffic Dashboard 10

Transparent Bridge 11

VVictim Analytics 10

SECUI MFI App for Splunk 23

24