ISG Playbook
APIs
- Created by Angel Tucker, last modified by Vivasvan Chebolu on Jul 01, 2024
ABOUT
Splunk is a powerful tool for searching and exploring data. It can help predict, identify, and solve problems related to business, information technology (IT), DevOps, and security in real time.
Features include:
- Indexing source data from websites, applications, servers, databases, operating systems and more
- Obtaining data feeds via both push and pull methods
- Searching data to create reports and powerful dashboard panels
- Configuring alerts to notify when searches meet configured conditions
- Creating dashboards to visualize results from completed searches and data from real‑time background searches
- Generating reports from saved searches or adding reports to dashboards. Reports can be run on an ad hoc basis or scheduled to run on regular intervals. Scheduled reports can also generate alerts.
Prerequisites
- All users requesting Splunk access must first have access to Zscaler. For instructions on the process, refer to the Zscaler
Requesting a Splunk User Role (Obtaining a User Role)
The following steps provide instructions for requesting a Splunk user role:
Step 1: If you do not yet have a HARP account or an EIDM or EUA account, click here to sign up for a HARP account.
Step 2: Once your HARP account has been created, log in to HARP and request a QualityNet Splunk entitlement via a HARP User Role.
- Select Request a Role in HARP from the HARP homepage.
- On the Select a Program page, select QualityNet-Splunk
- On the Select an Organization page, select your Contract name (for contractors) or CMS Federal Employee (for CMS Federal employees)
- On the Select Roles page, select a QualityNet Splunk user role (choose one)
- Splunk_SO
- Splunk_User
- Click the Submit button
- Enter your reason for requesting the selected role in the Request Reason text field.
- Click the Submit button
Step 3: The organization's Security Official reviews and approves/denies the user role request. You will be notified via email that your request has been submitted, and again when your role has been approved or denied.
Step 4: Connect to the QualityNet network via Zscaler using your HARP Credentials. To obtain information on accessing Zscaler, please follow this link Zscaler Access, and click on the Get Started Tab to view the steps for requesting Zscaler.
Step 5: Log into IDM at https://idm.cms.gov/ and click on the CCSQ QNET Splunk tile. Alternatively, login to https://inf-219c4c7d8.hcqis.org:8000/ using your HARP credentials.
Requesting Application Log Ingestion or Splunk App Request
The following steps provide instructions for requesting application logs be ingested into a Splunk index to search and analyze data as well as create alerts, reports, and dashboards:
Step 1: Login to ServiceNow at https://cmsqualitysupport.servicenowservices.com/ using your HARP credentials.
Step 2: Locate Cloud request:
- Type “catalog” in the Filter Navigator
- Select IT Services Catalog
- Select Cloud
- Select Other Cloud Services
- Select Other Cloud Services Request
- Select Contract Name, Priority, and Need by date
- For Service Request Details, provide information including the following:
- Hostnames, Hostname match, or IP range for inputs to be deployed
- Application log directories to be ingested (Splunk user on hosts must have read access to directories/logs)
- Index name to be used or created for ingestion
- Users or group required access to index
- If requesting a new Splunk add-on or application, please specify the name
- Upon completion of the request, please verify data is being ingested and accessible
SPLUNK DASHBOARDS
The Splunk App for AWS offers a variety of dashboards to that provide insight into your AWS data by providing an overview of your AWS Environment including configuration changes, usage, and security.
Splunk dashboards can be configured by the HIDS DevOps team for your application. Please use one of the following methods to request a Splunk dashboard:
- Email: ServiceCenterSOS@cms.hhs.gov
- Phone: 866-288-8914
- Message the DevOps Slack channel: #help-devsecops
- Open a Miscellaneous ServiceNow Request in the self-service portal: https://cmsqualitysupport.servicenowservices.com/sp_ess
ADDITIONAL RESOURCES
Additional information can be found at https://splunkbase.splunk.com/
Splunk - Removing Data (tutorialspoint.com)
FAQs
Splunk is the data collection backbone for security operations to create a unified, interoperable security operations capability across all data centers.
User(s) must have valid qualnet AD accounts. Splunk is not currently integrated with HARP or any other SSO provider.
Log into IDM at https://idm.cms.gov/ and click on the CCSQ QNET Splunk tile. Alternatively, login to https://inf-219c4c7d8.hcqis.org:8000/ using your HARP credentials.
Please contact one of the following:
- CCSQ Support Central: Provides you with multi-program support to submit a new ticket, and track the status of an existing case, incident, or request. No login required. https://cmsqualitysupport.servicenowservices.com/ccsq_support_central
Find us on Slack #help-devsecops. Slack is monitored Monday through Friday, 8:00am - 6:00pm.
- For assistance with HARP, please contact the CCSQ Service Center at:
- Phone: (866) 288-8914 (TRS:711)
- Slack: #help-service-center-sos
- Email: ServiceCenterSOS@cms.hhs.gov
- Hours of Operation: 24/7
- No labels