Platform guide
...
Threat Informed Defense
Configuration of Connector

Splunk

13min

Prerequisite

Features

This app contains helpful security alerts and dashboards.

SavedSearch: Savedsearch creates high or medium severity alerts in Splunk Enterprise Security based on the AI model extraction attack probability. Dashboard: The user can see model breach attack data over time and high and medium severity alert counts over time.

Pre-requisite : Users will have to leverage AIShield product to scan their AI model for vulnerabilities and generate Threat Informed Endpoint Defense capable of integrating with Splunk Enterprise,Splunk Cloud and Splunk Enterprise Secuirty. To complete this step, please get in touch with [email protected]

Installation Instructions

Please refer installation instructions links for Splunk Cloud and Splunk Enterprise to install AIShield AI Security Monitoring App for Splunk.



AIShield AI security Monitoring app for Splunk
AIShield AI security Monitoring app for Splunk


Once the application has been installed please follow the steps below to configure the application.

Create an Splunk HEC token for the app Pre-requisite : Follow the instruction to create an custom index.

  1. Select AIShield AI Security Monitoring App for Splunk from the App dropdown in the Splunk console.
  2. Navigate to Settings > Data Input.
  3. Add a new HTTP Event Collector token with a name of your choice.
  4. Ensure indexer acknowledgement is not enabled.
  5. Click Next and set the source type to __json. Note : sourcetype value will be overwrite in HEC payload as "AIShield"
  6. Add the <your_index_name> index
  7. Set the Default Index to <your_index_name>.
  8. Click Review and then Submit.

Note: If you choose any other index, use the same while creating HEC token and updating the macro in the app. Follow the steps to set the macro to whatever index you have saved the data to as part of the HEC definition.

1. Navigate to Settings --> Advanced Search

2. Click on Search macro --> default_index macro

3. Update index value 'aishield_index' to whatever index you have saved. : index="<your_index_name>"

4. Click on save button

Configure and connect AIShield provided Threat Informed Endpoint Defense with Splunk

  1. Update the splunk endpoint url and token key in the AIShield provided Threat Informed Endpoint Defense.[Please follow the above mentioned step to create the Splunk HEC token setup]
  2. Update the url = "<https://<<host>>:8088/services/collector'>" and headers["Authorization"] = "Splunk <Token_Key>"
  3. The data will start showing after configuring both splunk_hec and splunk endpoint url in the AIShield provided Threat Informed Endpoint Defense. You can view the logs with the following Splunk search:'default_index'

After successful integration, AIShield provided Threat Informed Endpoint Defense will send logs to Splunk Enterprise or Splunk Cloud, Navigate to Activity --> Triggered alerts to see alerts.

  • The splunk endpoint will respond with either a success or an error message. Follow steps in the

Defense connector

You can download the defense artifact after your job runs successfully. The defense artifact will contain the defense model in .h5 and .onnx formats, one Python file, and a readme file describing the steps to follow to use it. Assuming you have already downloaded the artifact, you can follow the steps below to configure the defense with Azure Sentinel and Splunk Connector.

AIShield provided Threat Informed Defense Model zip folder contains the following files.

1. Defense Model Architecture image 2. Defense Model Classification Report image 3. Defense Model Confusion Matrix Image 4. Defense Model (h5 format) 5. defense_model (onxx format) 6. Predict.py 7. ReadMe.txt

Following steps describe the procedure to integrate and test AIShield provided Threat Informed Defense Model.

Step 1: Install Python Packages

Python


Step 2: Import AISDefenseModel

Python


Step 3: Load the TensorFlow model

defense_model_path variable is used to store the file path or location on the local system where a defense model is expected to be found.

Python


Step 4: Create AISDefenseModel with Connector

Python


Parameters:

  • splunk_url: IP address or hostname of the Splunk server.
  • splunkauthorization: Authorization key to connect to Splunk.

Step 5: Test AISDefenseModel

Load the necessary data and use AIShield provided attack data for testing the defense model.

Python


Once AIShield provided Threat Informed Endpoint Defense (EDR) app sending logs to Splunk you will be able to see.

Troubleshooting

No data displayed? 1) While sending logs from AIShield provided Threat Informed Endpoint Defense, please make ensure that sourcetype is set with a name of 'AIShield'.

Support

For any issues with this app, please send an email to [email protected].