Class 7 Lab 3 ‐ Inegrating Demisto in Splunk - Justin-Boyd/CIT-Class GitHub Wiki

Task 1: Download Cortex XSOAR Community Edition

Step 1

Step 2

  • Fill out the form on the right of the page and click the box to prove that you’re not a robot. Be sure to use an active email address that you have access to. Click “Get it for free.”

Step 3

  • Open the email from the Cortex XSOAR website. Download the attached license file and save it for later use. Click the “Download Installer” button.
  • Note: the attached license is at the bottom of the email.

Step 4

  • Review the licensing agreement. Scroll to the bottom of the page and click the “Accept and Download” button.

Step 5

  • Allow the demistoserver-6.x-xxxxxxxx.sh file to download and save it to the same location you had saved the license file to in step 3.

Task 2: Cortex XSOAR (Demisto) Installation

Step 1

  • Start your PfSense virtual machine

Step 2

  • Start your Ubuntu machine. Drag and drop the following files to your Ubuntu desktop.
    • Demisto_Suite.tar
    • Your Demisto license file (DemistoLicenseXXXXXXXX.lic)
    • The Demisto shell script (demistoserver-6.X-XXXXXXX.sh)

Step 3

  • Open the terminal and navigate to the Desktop directory using cd ~/Desktop/

Step 4

  • Then Extract the Demisto_suite file to the desktop with the command tar -xf Demisto_Suite.tar in the terminal.

Step 5

  • Type chmod +x demistoserver-6 .X-XXXXXXX.sh to give the .sh file permission to execute. Replace the “X’s” with the version number associated with the file that you downloaded.

Step 6

  • Run sudo ./demistoserver-X.X-XXXXXXX.sh to run the installation script.

Step 7

  • When EULA appears, press Q and accept the terms by entering yes and pressing Enter.

Step 8

  • The process will try to install Docker. If the installation fails, continue by pressing Enter. Docker is not necessary for this lab.

Step 9

  • For Enter server HTTPS port, leave the default, 443, and press Enter.

Step 10

  • When prompted for elasticsearch database, press Enter for default.

Step 11

  • When prompted for a username, press Enter (it will be set to admin).

Step 12

  • When prompted for a password, enter Aa123456, press Enter, verify the password, and press Enter again.

Step 13

  • Confirm the configuration and type yes if it is correct to the above information.

Step 14

  • Type Y for the additional disk space that will be used.

Step 15

  • Again the Docker will attempt to install. If the installation fails, continue by pressing Enter. Docker is not necessary for this lab.

Step 16

  • Start the server by typing yes.

Task 3: Cortex XSOAR (Demisto) Integration with Splunk

Step 1

  • Use the command sudo /opt/splunk/bin/splunk start to start the Splunk daemon.

Step 2

  • Click the Firefox icon in the panel on the left and browse to 127.0.0.1:8000.
  • Sign in with the username admin and password Aa123456.

Step 3

  • Click the cog icon next to Apps.

Step 4

  • Click Install app from file.

Step 5

  • Click Browse…

Step 6

  • Navigate to /home/john/Desktop/Demisto_Suite and select the demisto-addon-for-splunk_206 as shown below. Remember to click Upload.
  • Restart Splunk before installing the second file, demisto-app-for-splunk_102.

Step 7

  • After Splunk restarts, ignore the prompt and repeat steps 4–6 for demisto-appfor-splunk_102. Restart again once it is uploaded.

Step 8

  • After the installation ends, Demisto will appear under Search & Reporting.

Step 9

  • In Firefox, browse to https://127.0.0.1 to open Demisto. On the error page, click Advanced.

Step 10

  • Click Accept the Risk and Continue.

Step 11

  • Login into Cortex XSOAR. You will be prompted for the missing license.

Step 12

  • Drag and drop or click to browse the license file (located at ~/Desktop/DemistoLicenseXXXXXXXXX.lic) in the Missing License window.

Step 13

  • If the license window does not appear, click the red exclamation mark on the left and click Upload license.

Step 14

  • Upload the license (located at ~/Desktop/DemistoLicenseXXXXXXXXX.lic) to Cortex XSOAR (Demisto).

Step 15

  • To check if the Ubuntu machine has CURL, try to install it using sudo apt install curl in the terminal.
  • Note: The message curl is already the newest version will appear if it is installed.

Step 16

  • Since we are using Cortex XSOAR (Demisto) on the same server, disable SSL validation by running the command below via the terminal to avoid integration issues.
  • Replace the username and password with those for Splunk, and for the hostname, enter localhost or 127.0.0.1.
sudo curl -ku admin:Aa123456 https://localhost:8089/servicesNS/nobody/TADemisto/configs/conf-demistosetup/demistoenv/ -d VALIDATE_SSL=false

Step 17

  • After the command is executed (assuming you did not receive an error message), restart the machine using the reboot command.

Step 18

  • After the machine restarts, start the Splunk service using sudo /opt/splunk/bin/splunk start

Step 19

  • Start the Demisto service using the command sudo systemctl start demisto.service

Step 20

  • Open Firefox, go to the Demisto management console at https://127.0.0.1 and sign in using your username (admin) and password (Aa123456).

Step 21

  • Click Settings at the bottom left corner.

Step 22

  • In the sub-menu, click API Keys, and then click Get Your Key.

Step 23

  • Type your name and save the key in Notepad or another text editor.

Step 24

  • Open Splunk after receiving the API key so you can integrate Demisto. To do so, go to the Splunk tab, click Settings, and then click Alert actions.

Step 25

  • In the next window, click Set up Demisto Add-on for Splunk on the same row as Create Demisto Incident.

Step 26

  • When the new page opens, enter only two items: the IP address of the machine with the HTTPS protocol, Ubuntu IP (for example, https://10.0.0.3/), and the Demisto API key. Click Save to finish.

Task 4: Cortex XSOAR (Demisto) Incident

Step 1

  • Click Apps next to the Splunk logo and then click Search & Reporting.

Step 2

  • Click Alerts, select the Dir.Enum alert, click Edit, and then click Edit Alert.

Step 3

  • For Trigger Actions, click Add Actions and select Create Demisto Incident.

Step 4

  • Select the server (Ubuntu machine) in the Incident Settings window and leave the default values as-is. Click Save and then Done.

Step 5

  • Use the command service apache2 start to start Apache2.

Step 6

  • Browse to localhost/random and access a nonexistent page to generate the 404 HTTP error code and logs. Refresh the page more than five times.

Step 7

  • Go to the Cortex XSOAR Web UI at https://127.0.0.1, click the left pane, and click Incidents.

Step 8

  • Note that there are new incidents. Click an incident’s ID to view information about it.

Step 9

  • Click Work Plan to see the playbook that was used. Playbooks are explained in the next section of this lesson.