Platform guide
...
Threat Informed Defense
Configuration of Connector
Splunk
13 min
prerequisite you have to get the aishield ai security monitoring app from splunk marketplace to get started with below steps features this app contains helpful security alerts and dashboards savedsearch savedsearch creates high or medium severity alerts in splunk enterprise security based on the ai model extraction attack probability dashboard the user can see model breach attack data over time and high and medium severity alert counts over time pre requisite users will have to leverage aishield product to scan their ai model for vulnerabilities and generate threat informed endpoint defense capable of integrating with splunk enterprise,splunk cloud and splunk enterprise secuirty to complete this step, please get in touch with aishield contact\@bosch com installation instructions please refer installation instructions links for splunk cloud and splunk enterprise to install aishield ai security monitoring app for splunk aishield ai security monitoring app for splunk once the application has been installed please follow the steps below to configure the application create an splunk hec token for the app pre requisite follow the instruction to create an custom index select aishield ai security monitoring app for splunk from the app dropdown in the splunk console navigate to settings > data input add a new http event collector token with a name of your choice ensure indexer acknowledgement is not enabled click next and set the source type to json note sourcetype value will be overwrite in hec payload as "aishield" add the \<your index name> index set the default index to \<your index name> click review and then submit note if you choose any other index, use the same while creating hec token and updating the macro in the app follow the steps to set the macro to whatever index you have saved the data to as part of the hec definition 1\ navigate to settings > advanced search 2\ click on search macro > default index macro 3\ update index value 'aishield index' to whatever index you have saved index="\<your index name>" 4\ click on save button configure and connect aishield provided threat informed endpoint defense with splunk update the splunk endpoint url and token key in the aishield provided threat informed endpoint defense \[please follow the above mentioned step to create the splunk hec token setup] update the url = "\<https //<\<host>> 8088/services/collector'>" and headers\["authorization"] = "splunk \<token key>" the data will start showing after configuring both splunk hec and splunk endpoint url in the aishield provided threat informed endpoint defense you can view the logs with the following splunk search 'default index' after successful integration, aishield provided threat informed endpoint defense will send logs to splunk enterprise or splunk cloud, navigate to activity > triggered alerts to see alerts the splunk endpoint will respond with either a success or an error message follow steps in the defense connector you can download the defense artifact after your job runs successfully the defense artifact will contain the defense model in h5 and onnx formats, one python file, and a readme file describing the steps to follow to use it assuming you have already downloaded the artifact, you can follow the steps below to configure the defense with azure sentinel and splunk connector aishield provided threat informed defense model zip folder contains the following files 1\ defense model architecture image 	2\ defense model classification report image 	3\ defense model confusion matrix image 	4\ defense model (h5 format) 	5\ defense model (onxx format) 	6\ predict py 7\ readme txt following steps describe the procedure to integrate and test aishield provided threat informed defense model step 1 install python packages pip install numpy pip install tqdm pip install tensorflow pip install cv2 step 2 import aisdefensemodel from predict import aisdefensemodel import tensorflow import cv2 import numpy as np step 3 load the tensorflow model defense model path variable is used to store the file path or location on the local system where a defense model is expected to be found defense model = tensorflow\ keras models load model(defense model path) step 4 create aisdefensemodel with connector model = aisdefensemodel(defense model, splunk url, splunkauthorization) parameters splunk url ip address or hostname of the splunk server splunkauthorization authorization key to connect to splunk step 5 test aisdefensemodel load the necessary data and use aishield provided attack data for testing the defense model attack data = load data(attack data list) model predict(attack data) once aishield provided threat informed endpoint defense (edr) app sending logs to splunk you will be able to see troubleshooting no data displayed? 1\) while sending logs from aishield provided threat informed endpoint defense, please make ensure that sourcetype is set with a name of 'aishield' support for any issues with this app, please send an email to aishield contact\@bosch com mailto\ aishield contact\@bosch com