Setup integration

This document provides a step by step description of the actions required to integrate your Splunk instance to your BETTER MTD console.

Through this integration, security incidents captured through the BETTER MTD platform can be populated into the Splunk platform for real-time visualization, security review, and proactive remediation.

Prerequisites

Versions

  • BETTER MTD console: 3.x and newer

  • Splunk: 6.3.0 and newer

Network Considerations

The network communication channels must be open between the BETTER MTD cloud platform and the Splunk instance being integrated.

Splunk API access configuration

In this step, you will create a user on your Splunk instance with the appropriate privileges that will later be used to connect with the BETTER MTD platform. You will also enable API access to your Splunk instance.

  1. Log into your Splunk console.

  2. Go to Settings > Access controls > Roles and create a new role.

  3. Ensure that the role has the edit_tcp capability.

  4. Go to Settings > Access controls > Users and create a new user. Assign the role created previously to this new user.

  5. Go to Server Settings > General Settings , enable API access, and assign a management port (default is 8089).

  6. Click on Save.

MTD Integration configuration

In this step, you will configure your MTD tenant to communicate with your Splunk instance using the parameters configured in the previous section.

  1. Log into your BETTER MTD admin console.

  2. Go to Integration > Others and click on the Add Account button.

  3. Select Splunk from the Integration selector.

  4. Submit your Splunk parameters in the following screen:

    1. Name: identifies your Splunk instance. Eg. Splunk Production

    2. API Address: the IP or URL of your Splunk instance's API.

    3. Port: the management port configured in the previous section.

    4. Username and Password: the credentials of the user created in the previous section.

    5. Source type: a string that identifies the MTD feed-in Splunk (default threat_logs is used in the sample dashboard).

  5. Click on Save.

Sample Dashboard

We have provided a sample Splunk dashboard to validate your BETTER MTD integration and to provide a starting point for visualizing your mobile threat defense incident feed.

  1. Download the sample.

  2. Go to Splunk apps.

  3. Click on Install from file. Select the downloaded archive on the upload screen.

  4. The side view now shows the new dashboard.