Share tCell app data with Splunk
Security operations teams often utilize Splunk for searching, monitoring, and analyzing data from multiple sources. Utilize tCell data in Splunk by installing the add-on for tCell. You can connect tCell apps to Splunk to centralize your event data and alerts without logging in to tCell to view events. This integration helps streamline your data for more efficient security operations.
Use case
Your SOC team uses Splunk to monitor security feeds from multiple sources, as well as tCell for RASP web security. To have a broader understanding of your organization’s security, your team wants to add a web app layer of monitoring to their preferred SIEM tool, Splunk.
You decide to install the add-on for tCell and configure the tCell app connection to send all security event data to Splunk. Now, anyone on your team can interact with the tCell web app data in Splunk without needing to log in to tCell.
Prerequisites
- A working tCell account
- A tCell application with a tCell agent installed and reporting to the tCell Cloud. See agent installation guides for more information.
- Splunk Enterprise installed (on-prem or cloud-hosted environment)
Install
You can install the Splunk add-on from Splunkbase, Splunk Enterprise, or locally.
Option 1: Install from Splunkbase
- Download Add-on for tCell from Splunkbase.
- Log in to Splunk Enterprise.
- On the Apps menu, click the Settings icon.
- Select Install app from file.
- In the Upload App window, click Choose File.
- Select the
add-on-for-tcell_xxx.tgz
downloaded file, and then click Open or Choose. - Click Upload.
- Click Restart Now and then confirm that you want to restart.
Option 2: Install from Splunk Enterprise
- In Splunk Enterprise, select Splunk Apps.
- Select Browse More Apps.
- Search for tCell and find Add-on for tCell.
- Select Install.
Option 3: Install locally
- Add the
add-on-for-tcell_xxx.tgz
downloaded file into the$SPLUNK_HOME/etc/apps
directory. - Untar and unzip your app or add-on, using a tool such as tar -xvf (on *nix) or WinZip (on Windows).
- Restart Splunk.
Connecting apps to the tCell Cloud
When you connect your apps to the tCell Cloud, you can choose which security event types are sent to Splunk.
The following information is required for the Add Collect inputs from tCell form.
Field | Description |
---|---|
Name | Unique name for the data input from the app |
Interval | Frequency (in seconds) of how often Splunk collects data from tCell |
Index | The repository for Splunk data |
tCell Company Name | Your company's name |
tCell API key | Your Platform API Key If necessary, generate a Read-Only API key: 1. Log in to your tCell account. 2. In Account Settings > API Keys, click Create Read-Only API Key. 3. Copy the API key to use in this form. |
tCell app ID | The unique ID for the tCell app You can find the app ID in two ways: - In the tCell UI, you can view the app ID in tCell Admin -> Applications. - In the tCell API, by running the ListApp API. |
Security event types | You can send any of the following security event types to send to Splunk: - App Firewall events - user logins - CSP Violations - Package Vulnerabilities - Packages - Inline scripts - OS Commands - Local Files |
Connect an app to the tCell Cloud
- In tCell, in the Apps menu, select tcell_splunk_app.
- In the Inputs menu, select Create New Input.
- Complete the Add Collect inputs from tCell form.
- Click Add.