Using the MixMode query language to integrate with splunk - Security Boulevard

Using the MixMode query language to integrate with splunk

Integrating MixMode with Splunk provides immediate AI based decision making to your organization. This results in fewer alerts, and more actionable data for analysts to consume.

MixMode provides a very flexible way to be integrated into a larger ecosystem of tools. Primarily, users will want to extract data according to custom queries from the MixMode platform and send it to another system, such as splunk.

Suppose that an analyst wants to collect high risk security events into a splunk system for correlation with indicators from other tools.

This can be achieved very easily with the MixMode api client tool mm.sh. In order to facilitate easy integrations with the MixMode platform api, we provide a very lightweight but powerful bash/python api tool that customers can use to very quickly perform advanced functions with the api.

To begin, users can choose any data they wish to extract by constructing a PQL query, which is the standard way to ask questions from the MixMode platform. An example query for this use case would be:

mm.sh stream "last 20 minutes risk_score > 5” O_EVENTS America/Los_Angeles

Resulting in JSON search results being streamed to standard output.

In order to send this data to splunk, it needs to be converted into a proper splunk object with a sourcetype attribute and an event attribute, containing the playload. mm.sh provides a convenience function to transform the JSON streamed from the search results into the proper splunk formatted object:

export SPLUNK_KEY="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" && 
export SPLUNK_ENDPOINT="http://SPLUNKINSTANCE/services/collector/event" && 
export SPLUNK_SOURCETYPE="mysourcetype" && 
mm.sh stream "last 20 minutes risk_score > 5” O_EVENTS America/Los_Angeles | mm.sh splunk

resulting in the search results being sent to the customers splunk endpoint.

Automating this job to run periodically via cron is a very simple entry:

# every 20 minutes, send mixmode data to splunk
*/20 * * * * root /root/mixmode_splunk.sh

So, using mm.sh, within just a couple of minutes, users can easily integrate the value added platform data from MixMode into any system they control, using custom queries to find exactly what they need. 

MixMode Articles You Might Like:

3 Cyberthreats Facing Federal and State Governments in 2020

Staying CCPA Compliant with MixMode’s Unsupervised AI

5 Cybersecurity Threats That Will Dominate 2020

Wire Data: What is it Good For?

Yesterday’s SIEM Solutions Can’t Combat Today’s Cyberthreats

Hacking the Hackers: Adversarial AI and How to Fight It


*** This is a Security Bloggers Network syndicated blog from MixMode authored by Troy Molsberry. Read the original post at: https://mixmode.ai/blog/using-the-mixmode-query-language-to-integrate-with-splunk/