Current ThreatQ Version Filter
 

Installing the Add-On Component

Roles Required: Admin, Splunk_System_Role, ess_admin.

You can install and configure the App-On and App in any order.  It is important to note that you will receive errors while configuring either until both Add-On and App configuration has been completed.

The installation location for the ThreatQuotient Add-On component depends on the type of environment you are using.  See the Deployment Methods chapter for further details. 

  1. Log into your Splunk instance.
  2. Click on the Down arrow on the Apps menu located in the main navigation bar.
  3. Select the Find More Apps option.

    Find More Apps option
  4. Search for “ThreatQuotient” in the search bar.
  5. Select the ThreatQuotient Add-on for Splunk option and follow the instructions to install the app.

Configuring the Add-On Component

Roles Required: Admin, Splunk_System_Role, ess_admin.

The following instructions detail the configuration tabs that must be completed in order to finish configuring the Add-On.  

Account Tab

  1. Click on Info dropdown and select Edit App Configuration.
  2. Click on the Account tab.
  3. Enter the following parameters:
    Parameter Description
    Server URL Enter your ThreatQ server URL without the scheme.
    Username Enter your ThreatQ username.
    Password Enter your ThreatQ password.
    Client ID Enter your ThreatQ user Client ID.
  4. Click on Save

Authentication via Self-Signed Certificates in ThreatQ

It is common for many ThreatQ users to leverage self-signed certificates. If this is the case, you must perform the following additional configuration steps in the Splunk Add-On App:

  1. Navigate and open the following file:

    ${SPLUNK_HOME}/etc/apps/TA-threatquotient-add-on/default/ta_threatquotient_add_ on_settings.conf

  2. Make the following change to the Splunk Search for Listing TQ Indicators section: 
    [additional_parameters]
verify_cert = False

Disable Verify SSL Certification for the Add-On

One important change that was made with the release of 2.6.0 versions of the App and Add-On was the removal of the Verify SSL Certification configuration fields in the UI.  This change was made to meet Splunk Cloud Validation requirements.  The steps below detail how to manually disable Verify SSL Certification, if needed.

  1. Open the following file:

    $SPLUNK_HOME/etc/apps/TA-threatquotient-add-on/bin/threatq_const.py

  2. Update the VERIFY_SSL line to False.

Splunk KVStore Rest

The App Key Value Store, commonly referred to as the Splunk KVStore, is a Splunk Enterprise feature that allows you to save/retrieve data within Splunk apps.  The Splunk KVStore is requirequed if the Add-On is not installed on the Search Head.  

You can read more about the KVStore Splunk feature in Splunk’s Developer documentation: https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/.

The Splunk KVStore Rest configuration should be updated for distributed setups to ensure data is saved into the KVStore.

  1. Click on the Splunk KV Store Rest tab and complete the following fields:
    Field Description
    Splunk Username Your username for your Splunk instance. 
    Splunk Password The password for your Splunk user account. 
    Splunk Rest Host URL The Splunk rest host or localhost (without scheme) to collect data.

    This is the Splunk Management Host, commonly the Search Head or Cluster member.
    Port The Management port for Splunk. 

    Splunk KVStore Rest Screen

  2. Click on Save.

Proxy

  1. Click on the Proxy tab to set proxy settings if required.
  2. Complete following parameters fields:
    Parameter Description 
    Enable Use the checkbox to enable or disable the proxy.  
    Proxy Type Select the type of proxy.  Options include:
    • http
    • socks4
    • socks5
    Host Enter the proxy server URL.  
    Port Enter the proxy server port.  
    Username Enter the proxy server username.
    Password Enter the password associated with the username above.
    Remote DNS Resolution Use this check box to enable remote DNS resolution.  

    Add-on Configuration - Proxy tab

  3. Click on Save.

Import Timeout

  1. Click on the Import Timeout tab
  2. Use the Timeout field to set server read timeout value (in seconds).

    Import Timeout Screen

    The default value is 900 seconds. The minimum value allowed is 300 seconds.

  3. Click on Save after you make your updates.

Logging

  1. Click on the Logging tab. 
  2. Select your Log level.  Options include:
    • Debug
    • Info
    • Warning
    • Error
    • Critical

    Add-on Configuration - Logging tab

  3. Click on Save.