QualityNet IT Services

Page tree

ABOUT

Splunk is a powerful tool for searching and exploring data. It can help predict, identify, and solve problems related to business, information technology (IT), DevOps, and security in real time.

Features include:

  • Indexing source data from websites, applications, servers, databases, operating systems and more
  • Obtaining data feeds via both push and pull methods
  • Searching data to create reports and powerful dashboard panels
  • Configuring alerts to notify when searches meet configured conditions
  • Creating dashboards to visualize results from completed searches and data from real‑time background searches
  • Generating reports from saved searches or adding reports to dashboards. Reports can be run on an ad hoc basis or scheduled to run on regular intervals. Scheduled reports can also generate alerts.

Prerequisites

  • All users requesting Splunk access must first have access to Zscaler. For instructions on the process, refer to the Zscaler

Requesting a Splunk User Role (Obtaining a User Role)

The following steps provide instructions for requesting a Splunk user role:

Step 1:  If you do not yet have a HARP account or an EIDM or EUA account, click here to sign up for a HARP account.

Step 2:  Once your HARP account has been created, log in to HARP and request a QualityNet Splunk entitlement via a HARP User Role.

  • Select Request a Role in HARP from the HARP homepage.
  • On the Select a Program page, select QualityNet-Splunk
  • On the Select an Organization page, select your Contract name (for contractors) or CMS Federal Employee (for CMS Federal employees)
  • On the Select Roles page, select a QualityNet Splunk user role (choose one)
    • Splunk_SO
    • Splunk_User
  • Click the Submit button
  • Enter your reason for requesting the selected role in the Request Reason text field.
  • Click the Submit button


Step 3: The organization's Security Official reviews and approves/denies the user role request. You will be notified via email that your request has been submitted, and again when your role has been approved or denied.

 

Step 4: Connect to the QualityNet network via Zscaler using your HARP Credentials. To obtain information on accessing Zscaler, please follow this link Zscaler Access, and click on the Get Started Tab to view the steps for requesting Zscaler.


Step 5: Log into IDM at https://idm.cms.gov/ and click on the CCSQ QNET Splunk tile. Alternatively, login to https://inf-219c4c7d8.hcqis.org:8000/ using your HARP credentials.

Requesting Application Log Ingestion or Splunk App Request

The following steps provide instructions for requesting application logs be ingested into a Splunk index to search and analyze data as well as create alerts, reports, and dashboards:

Step 1: Login to ServiceNow at https://cmsqualitysupport.servicenowservices.com/ using your HARP credentials.

Step 2: Locate Cloud request:

  1. Type “catalog” in the Filter Navigator
  2. Select IT Services Catalog
  3. Select Cloud
  4. Select Other Cloud Services
  5. Select Other Cloud Services Request
  6. Select Contract Name, Priority, and Need by date
  7. For Service Request Details, provide information including the following:
  • Hostnames, Hostname match, or IP range for inputs to be deployed
  • Application log directories to be ingested (Splunk user on hosts must have read access to directories/logs)
  • Index name to be used or created for ingestion
  • Users or group required access to index
  • If requesting a new Splunk add-on or application, please specify the name
  • Upon completion of the request, please verify data is being ingested and accessible


SPLUNK DASHBOARDS

The Splunk App for AWS offers a variety of dashboards to that provide insight into your AWS data by providing an overview of your AWS Environment, including configuration changes, usage, and security.

Splunk dashboards can be configured by the HIDS DevOps team for your application. Please use one of the following methods to request a Splunk dashboard:

ADDITIONAL RESOURCES

Additional information can be found at https://splunkbase.splunk.com/ 

Splunk - Removing Data (tutorialspoint.com)

FAQs

General

Splunk is the data collection backbone for security operations to create a unified, interoperable security operations capability across all data centers.  

Access

User(s) must have valid qualnet AD accounts. Splunk is not currently integrated with HARP or any other SSO provider.

Log into IDM at https://idm.cms.gov/ and click on the CCSQ QNET Splunk tile. Alternatively, login to https://inf-219c4c7d8.hcqis.org:8000/ using your HARP credentials.

You must be connected to Zscaler before logging into Splunk



Need Help ?

Please contact one of the following:

  • Find us on Slack #help-devsecops. Slack is monitored Monday through Friday, 8:00am - 6:00pm.

  • For assistance with HARP, please contact the CCSQ Service Center at: 






  • No labels