locked
Splunk -> Access ATA console from an API RRS feed

  • Question

  • How to manage/access ATA via Splunk using any API?

    Is there any API available to do that? 

    Monday, February 5, 2018 3:02 PM

All replies

  • You can forward alerts from ATA to Splunk using syslog.

    There is no API besides this option.

    Monday, February 5, 2018 7:53 PM
  • We are trying to integrate splunk with ATA..

    So that we can close/open incident from splunk itself(bi-directional).

    Tuesday, February 6, 2018 4:27 PM
  • Then try this for the Splunk -> ATA direction:

    https://github.com/Microsoft/Advanced-Threat-Analytics

    Tuesday, February 6, 2018 7:30 PM
  • Eli,

    It appears that we can pull information from ATA using powershell command.

    I don’t think it has capability to change status and all from Splunk instance. ->  change the status,close,assign all from splunk.

    Wednesday, February 14, 2018 3:19 PM
  • Actually it can do exactly that.

    See the Set-ATASuspiciousActivity CmdLet

    It gets the id of the SA And the Status you want to set...

    So, you can get the info about opened SAs into splunk using syslog,

    then manipulate them remotely using this command.

    Eli



    Wednesday, February 14, 2018 7:43 PM
  • Eli,

    Right now we are not getting required data(logs) to integrate splunk with ATA.

    examples: ATASuspiciousActivity ID is no there in Syslog message.


    How to incorporated all the required data from excel sheet(ATA email attached)   to Syslog message


    Tuesday, February 20, 2018 4:08 PM
  • The cs1 field in the syslog message contains the full url to the ATASuspiciousActivity .

    the ID is the guid at the end, you just need to parse it:

    https://centerName/suspiciousActivity/GUID

    Not sure about the excel question, can you elaborate what you are trying to accomplish exactly?

    If you want to auto download it, you can, using the id, although I warn that it's not an official solution,

    and might break with every upgrade.

    getting this:

    https://centerName/api/management/suspiciousActivities/GUID/excel?localeId=en-us

    Eli

    Tuesday, February 20, 2018 6:59 PM
  • Yes, We can parse ActivityID from cs1 field. Eli, can you please send me the sample log with all the additional information which is not there in Syslog. example : Network activities I want to check how this log appears with all the alert information. 
    Wednesday, February 21, 2018 4:29 PM
  • Sadly the syslog will never send all this info.

    We only send what you see.

    You can see samples here:

    https://docs.microsoft.com/en-us/advanced-threat-analytics/cef-format-sa

    Detailed info like network activities has potential of being large...
    You can only see the details in ATA console or download the excel file and get it from there.

    Even if we wanted to send all this info via syslog (which I believe does not really make sense),

    we would have been blocked by syslog RFC which limits the syslog message to 1KB, the full data would need much more.

    https://tools.ietf.org/html/rfc3164#section-4.1

    The best way would be to supply in the destination system a direct url to download the excel file to see the complete info.

    Eli

    Wednesday, February 21, 2018 7:44 PM
  • Thank Eli for your inputs! 
    Wednesday, February 21, 2018 9:30 PM
  • Eli,

    Has anyone implemented previously? if so please collect information from them on below two questions..

    1. A guide on how to get connect to splunk(The best practice)

    2. Is it possible to install windows power shell on Linux box? 

    Jay

    Thursday, February 22, 2018 4:50 PM
  • I am not aware of any implementation that went beyond parsing the info in the syslog message.

    As for powershell, you can try this:

    https://github.com/PowerShell/PowerShell

    But honestly, I am not sure if the ATA module will successfully work with it, you will need to experiment.

    Eli 

    Thursday, February 22, 2018 7:30 PM
  • My biggest concern is 

    how to integrate the script with Splunk? It is good if there is any guide to follow 

    Thursday, February 22, 2018 7:49 PM
  • Sorry, I am not aware of any guide.


    Thursday, February 22, 2018 7:58 PM
  • You cannot manage ATA with Splunk or any other SIEM. What you can do, with the API, is forward the ATA events to your SIEM and vica versa, consume for example the Windows Event logging forwarded to your SIEM, in your ATA to enrich the dataset in ATA and have more insights on what is happening in your environment. 
    Tuesday, March 6, 2018 8:01 PM