Overview

The Data Theorem Splunk integration analyzes Splunk logs for API attacks, API abuses, API discovery, and API threats. It analyzes events as defined by the Splunk Common Information Model (CIM) add-on and sends the resulting access logs to Data Theorem for analysis. Only the API request metadata is sent to Data Theorem and shown on the Data Theorem portal. The data flow diagram is below:

System Requirements

Splunk Enterprise version >= 9.x or Splunk Cloud
Dependencies
- CIM Version: 5.x (more information about CIM)

Integration Permissions

A Splunk user with an authentication token with access to run search queries on the indexes storing web-related data (queries with tag=web)
- Creating A Splunk API Access Token

Data Protection

The Data Theorem Splunk App analyzes only indexes containing Web CIM data, and uses only the below list of fields from the Web CIM model. The Web CIM fields contain metadata about requests, similar to the information in an nginx or webserver access log. By using only defined fields on indexed Web CIM logs, there is minimal risk of accidental disclosure of sensitive data.

The Web CIM model include a`cookie` field that may contain HTTP Cookie values. We exclude this field and do not store or transmit any HTTP cookies.

Complete list of Web CIM fields

Dataset name	Field name	Data type	Description	Abbreviated list of example values

Dataset name	Field name	Data type	Description	Abbreviated list of example values
Web	`action`	string	The action taken by the server or proxy.	recommended required for pytest-splunk-addon
Web	`app`	string	The application detected or hosted by the server/site such as WordPress, Splunk, or Facebook.
Web	`bytes`	number	The total number of bytes transferred (`bytes_in` + `bytes_out`).	recommended required for pytest-splunk-addon
Web	`bytes_in`	number	The number of inbound bytes transferred.	recommended required for pytest-splunk-addon
Web	`bytes_out`	number	The number of outbound bytes transferred.	recommended required for pytest-splunk-addon
Web	`cached`	boolean	Indicates whether the event data is cached or not.	prescribed values: `true`, `false`, `1`, `0`
Web	`category`	string	The category of traffic, such as may be provided by a proxy server.	required for pytest-splunk-addon
Web	`dest`	string	The destination of the network traffic (the remote host). You can alias this from more specific fields, such as `dest_host`, `dest_ip`, or `dest_name`.	recommended required for pytest-splunk-addon
Web	`dest_bunit`	string	These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
Web	`dest_category`	string
Web	`dest_priority`	string
Web	`dest_port`	number	The destination port of the web traffic.	required for pytest-splunk-addon
Web	`duration`	number	The time taken by the proxy event, in milliseconds.
Web	`http_content_type`	string	The content-type of the requested HTTP resource.	recommended
Web	`http_method`	string	The HTTP method used in the request.	recommended prescribed values: `GET`, `PUT`,`POST`, `DELETE`, `HEAD`, `OPTIONS`, `CONNECT`, `TRACE`
Web	`http_referrer`	string	The HTTP referrer used in the request. The W3C specification and many implementations misspell this as `http_referer`. Use a `FIELDALIAS` to handle both key names.	recommended
Web	`http_referrer_domain`	string	The domain name contained within the HTTP referrer used in the request.	recommended
Web	`http_user_agent`	string	The user agent used in the request.	recommended required for pytest-splunk-addon
Web	`http_user_agent_length`	number	The length of the user agent used in the request.	required for pytest-splunk-addon
Web	`response_time`	number	The amount of time it took to receive a response, if applicable, in milliseconds.
Web	`site`	string	The virtual site which services the request, if applicable.
Web	`src`	string	The source of the network traffic (the client requesting the connection).	recommended required for pytest-splunk-addon
Web	`src_bunit`	string	These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
Web	`src_category`	string
Web	`src_priority`	string
Web	`status`	string	The HTTP response code indicating the status of the proxy request.	recommended required for pytest-splunk-addon
Web	`tag`	string	This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons.
Web	`uri_path`	string	The path of the resource served by the webserver or proxy.	other: `/CertEnroll/Blue%20Coat%20Systems` `%20Internal.crl`
Web	`uri_query`	string	The path of the resource requested by the client.	other: `?return_to=%2Fen-US%2Fapp%2Fsimple_xml_examples%2Fcustom_viz_` `forcedirected%3Fearliest%3D0%26latest%3D`
Web	`url`	string	The URL of the requested HTTP resource.	recommended required for pytest-splunk-addon other: `http://0.channel36.facebook.com/x/1746719903/ false/p_1243021868=11`
Web	`url_domain`	string	The domain name contained within the URL of the requested HTTP resource.	recommended
Web	`url_length`	number	The length of the URL.
Web	`user`	string	The user that requested the HTTP resource.	recommended
Web	`user_bunit`	string	These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
Web	`user_category`	string
Web	`user_priority`	string
Web	`vendor_product`	string	The vendor and product of the proxy server, such as `Squid Proxy Server`. This field can be automatically populated by `vendor` and `product` fields in your data.	recommended

Installation

Create Splunk Data Theorem User and generate Authentication Token for Splunk Data Theorem user
Enter Splunk Authentication Token In Data Theorem Portal Splunk API Integration onboarding flow
Enter Splunk Deployment REST API URL in Data Theorem Portal Splunk API Integration onboarding flow

Public Knowledge Base