Share tCell app data with Splunk

Security operations teams often utilize Splunk for searching, monitoring, and analyzing data from multiple sources. Utilize tCell data in Splunk by installing the add-on for tCell. You can connect tCell apps to Splunk to centralize your event data and alerts without logging in to tCell to view events. This integration helps streamline your data for more efficient security operations.

Use case

Your SOC team uses Splunk to monitor security feeds from multiple sources, as well as tCell for RASP web security. To have a broader understanding of your organization’s security, your team wants to add a web app layer of monitoring to their preferred SIEM tool, Splunk.

You decide to install the add-on for tCell and configure the tCell app connection to send all security event data to Splunk. Now, anyone on your team can interact with the tCell web app data in Splunk without needing to log in to tCell.

Prerequisites

  • A working tCell account
  • A tCell application with a tCell agent installed and reporting to the tCell Cloud. See agent installation guides for more information.
  • Splunk Enterprise installed (on-prem or cloud-hosted environment)

Install

You can install the Splunk add-on from Splunkbase, Splunk Enterprise, or locally.

Option 1: Install from Splunkbase

  1. Download Add-on for tCell from Splunkbase.
  2. Log in to Splunk Enterprise.
  3. On the Apps menu, click the Settings icon.
  4. Select Install app from file.
  5. In the Upload App window, click Choose File.
  6. Select the add-on-for-tcell_xxx.tgz downloaded file, and then click Open or Choose.
  7. Click Upload.
  8. Click Restart Now and then confirm that you want to restart.

Option 2: Install from Splunk Enterprise

  1. In Splunk Enterprise, select Splunk Apps.
  2. Select Browse More Apps.
  3. Search for tCell and find Add-on for tCell.
  4. Select Install.

Option 3: Install locally

  1. Add the add-on-for-tcell_xxx.tgz downloaded file into the $SPLUNK_HOME/etc/apps directory.
  2. Untar and unzip your app or add-on, using a tool such as tar -xvf (on *nix) or WinZip (on Windows).
  3. Restart Splunk.

Connecting apps to the tCell Cloud

When you connect your apps to the tCell Cloud, you can choose which security event types are sent to Splunk.

The following information is required for the Add Collect inputs from tCell form.

FieldDescription
NameUnique name for the data input from the app
IntervalFrequency (in seconds) of how often Splunk collects data from tCell
IndexThe repository for Splunk data
tCell Company NameYour company's name
tCell API keyYour Platform API Key

If necessary, generate a Read-Only API key:
1. Log in to your tCell account.
2. In Account Settings > API Keys, click Create Read-Only API Key.
3. Copy the API key to use in this form.
tCell app IDThe unique ID for the tCell app

You can find the app ID in two ways:
- In the tCell UI, you can view the app ID in tCell Admin -> Applications.
- In the tCell API, by running the ListApp API.
Security event typesYou can send any of the following security event types to send to Splunk:
- App Firewall events
- user logins
- CSP Violations
- Package Vulnerabilities
- Packages
- Inline scripts
- OS Commands
- Local Files

Connect an app to the tCell Cloud

  1. In tCell, in the Apps menu, select tcell_splunk_app.
  2. In the Inputs menu, select Create New Input.
  3. Complete the Add Collect inputs from tCell form.
  4. Click Add.