Splunk

13min
Prerequisite
You have to get the AIShield AI Security Monitoring App from Splunk marketplace to get started with below steps.
Features
This app contains helpful security alerts and dashboards.
SavedSearch: Savedsearch creates high or medium severity alerts in Splunk Enterprise Security based on the AI model extraction attack probability.
Dashboard: The user can see model breach attack data over time and high and medium severity alert counts over time.

Pre-requisite :
Users will have to leverage AIShield product to scan their AI model for vulnerabilities and generate Threat Informed Endpoint Defense capable of integrating with Splunk Enterprise,Splunk Cloud and Splunk Enterprise Secuirty. To complete this step, please get in touch with [email protected]﻿
Installation Instructions
Please refer installation instructions links for Splunk Cloud and Splunk Enterprise to install AIShield AI Security Monitoring App for Splunk.
﻿
AIShield AI security Monitoring app for Splunk
﻿
Once the application has been installed please follow the steps below to configure the application.
Create an Splunk HEC token for the app
Pre-requisite : Follow the instruction to create an custom index.
Select AIShield AI Security Monitoring App for Splunk from the App dropdown in the Splunk console.
Navigate to Settings > Data Input.
Add a new HTTP Event Collector token with a name of your choice.
Ensure indexer acknowledgement is not enabled.
Click Next and set the source type to __json. Note : sourcetype value will be overwrite in HEC payload as "AIShield"
Add the <your_index_name> index
Set the Default Index to <your_index_name>.
Click Review and then Submit.

Note: If you choose any other index, use the same while creating HEC token and updating the macro in the app. Follow the steps to set the macro to whatever index you have saved the data to as part of the HEC definition.
1. Navigate to Settings --> Advanced Search
2. Click on Search macro --> default_index macro
3. Update index value 'aishield_index' to whatever index you have saved. : index="<your_index_name>"
4. Click on save button
Configure and connect AIShield provided Threat Informed Endpoint Defense with Splunk
Update the splunk endpoint url and token key in the AIShield provided Threat Informed Endpoint Defense.[Please follow the above mentioned step to create the Splunk HEC token setup]
Update the url = "<https://<<host>>:8088/services/collector'>" and headers["Authorization"] = "Splunk <Token_Key>"
The data will start showing after configuring both splunk_hec and splunk endpoint url in the AIShield provided Threat Informed Endpoint Defense. You can view the logs with the following Splunk search:'default_index'
After successful integration, AIShield provided Threat Informed Endpoint Defense will send logs to Splunk Enterprise or Splunk Cloud, Navigate to Activity --> Triggered alerts to see alerts.
The splunk endpoint will respond with either a success or an error message. Follow steps in the
Defense connector
You can download the defense artifact after your job runs successfully. The defense artifact will contain the defense model in .h5 and .onnx formats, one Python file, and a readme file describing the steps to follow to use it. Assuming you have already downloaded the artifact, you can follow the steps below to configure the defense with Azure Sentinel and Splunk Connector.
AIShield provided Threat Informed Defense Model zip folder contains the following files.
	1. Defense Model Architecture image
	2. Defense Model Classification Report image
	3. Defense Model Confusion Matrix Image
	4. Defense Model (h5 format)
	5. defense_model (onxx format)
	6. Predict.py
    7. ReadMe.txt
Following steps describe the procedure to integrate and test AIShield provided Threat Informed Defense Model.
Step 1: Install Python Packages
Python
pip install numpy
pip install tqdm
pip install tensorflow
pip install cv2
pip install numpy
pip install tqdm
pip install tensorflow
pip install cv2
﻿
Step 2: Import AISDefenseModel
Python
from predict import AISDefenseModel
import tensorflow
import cv2
import numpy as np
from predict import AISDefenseModel
import tensorflow
import cv2
import numpy as np
﻿
Step 3: Load the TensorFlow model
defense_model_path variable is used to store the file path or location on the local system where a defense model  is expected to be found.
Python
defense_model = tensorflow.keras.models.load_model(defense_model_path)

defense_model = tensorflow.keras.models.load_model(defense_model_path)
﻿
Step 4: Create AISDefenseModel with Connector
Python
model = AISDefenseModel(defense_model, splunk_url, splunkauthorization)

model = AISDefenseModel(defense_model, splunk_url, splunkauthorization)
﻿
Parameters:
splunk_url: IP address or hostname of the Splunk server.
splunkauthorization: Authorization key to connect to Splunk.
Step 5: Test AISDefenseModel 
Load the necessary data and use AIShield provided attack data for testing the defense model.
Python
attack_data = load_data(attack_data_list)
model.predict(attack_data)
attack_data = load_data(attack_data_list)
model.predict(attack_data)
﻿
Once AIShield provided Threat Informed Endpoint Defense (EDR) app sending logs to Splunk you will be able to see.
Troubleshooting
No data displayed?
1) While sending logs from AIShield provided Threat Informed Endpoint Defense, please make ensure that sourcetype is set with a name of 'AIShield'.
Support
For any issues with this app, please send an email to [email protected].
Updated 17 Oct 2023
Did this page help you?
Amazon Security Lake
Sentinel