Query Splunk with Azure Automation PDF

Intro-

Using Azure Automation, Logic App, and an O365 mailbox you can create a workflow that notifies your admin when a new user is enrolled in MDM using a Splunk index. In this example I created a notification that notifies the Admin when Mobile Iron “actionType=INSTALL_MDM_PROFILE” occurs. This Splunk query pulls the action unique to what I am trying to alert on, but can be modified to any Splunk search.

Playbook-

  • Splunk Cloud and Mobile Iron App integration is already setup
  • Azure Automation Account is setup and Hybrid worker is registered
  • Hybrid worker IP subnet has permission/fireweall rules to query Splunk Cloud
  • Splunk API Account has permission to query Mobile Iron index
  • LogicApp schedules the workflow

How To-

Create Azure Automation Runbook (I Prefer Graphical but regular works fine, but you will have to pass JSON as string for parameters in the Logic App)

Screenshot_1

Create “UserUPN” for Input Parameter

Screenshot_2

Create Runbook Control “Code”

Screenshot_3

Insert your PowerShell cURL Splunk Query

Screenshot_4

PowerShell Code-

# Conversion of http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#search.2Fjobs.2Fexport 
# example using curl, to PowerShell with Invoke-RestMethod cmdlet
#
# $ curl -k -u admin:changeme https://localhost:8089/services/search/jobs/export 
#        --data-urlencode search="search index=_internal | stats count by sourcetype" 
#        -d output_mode=json -d earliest="rt-5m" -d latest="rt"

$username = "INSERT YOUR SPLUNK API ACCOUNT"
$infosecpassword = "INSERT YOUR SPLUNK API ACCOUNT PASSWORD"
$password = ConvertTo-SecureString "$infosecpassword" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)

# Use TLS 1.2 Required if your server is running as IaaS in Azure
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$server = 'INSERT YOUR CLOUD SPLUNK SERVER i.e. scjoe.splunkcloud.com'
$url = "https://${server}:443/services/search/jobs/export" # braces needed b/c the colon is otherwise a scope operator
$search = "search INSERT YOUR SPLUNK QUERY" # Cmdlet handles urlencoding
$body = @{
    search = $search
    exec_mode= "oneshot"
    output_mode = "csv"
    earliest_time = "-20d@d"
    latest_time = "-1s@s"
}
Invoke-RestMethod -Method Post -Uri $url -Credential $cred -Body $body

*Make sure to force TLS 1.2 on line 14 if you are using a Server 2016/19/Semi-Annual Azure IaaS VM or this will not work

*Use Azure Automation encrypted variables instead of passing the password in plain text.

 

Logic App-

logic app stepsjpeg

  1. Recurrence is the biweekly scheduler
  2. “Automation Job Get AD Group Members” starts the automation Runbook that pulls the ad group members using Get-ADGroupMemeber with the AD module installed on the hybrid worker
  3. “Get Output from job Get AD Group Members” needs to be included to retrieve the output from “Automation Job Get AD Group Members”
  4. “Automation Job Query Splunk MDM Enrollment” starts the automation Runbook we created above that queries Splunk
  5. “Get Output from Job get Query Splunk MDM Enrollment” get Output from “Automation Job Query Splunk MDM Enrollment”
  6. “Send an email to Admin” uses O365 mailbox to send email to admin

 

*If you are using a regular PowerShell Runbook instead of Graphical you will have to define the Runbook parameters as key/value pair {…} below is my example

Screenshot_5

Thats it, you can now notify on any Splunk query / event on any index using this process.  You can certainly do this with Azure Monitor / Log Analytics, but in this scenario I needed Mobile Iron logs which are native in Splunk.  I was debating on shipping the Mobile Iron data to a Log Analytics SysVol workspace, but this would be redundantly capturing data that is already in Splunk.

LLP