1/7/2024 0 Comments Splunk api search example![]() You can certainly do this with Azure Monitor / Log Analytics, but in this scenario I needed Mobile Iron logs which are native in Splunk. ![]() Thats it, you can now notify on any Splunk query / event on any index using this process. *If you are using a regular PowerShell Runbook instead of Graphical you will have to define the Runbook parameters as key/value pair below is my example “Send an email to Admin” uses O365 mailbox to send email to admin.“Get Output from Job get Query Splunk MDM Enrollment” get Output from “Automation Job Query Splunk MDM Enrollment”.“Automation Job Query Splunk MDM Enrollment” starts the automation Runbook we created above that queries Splunk.“Get Output from job Get AD Group Members” needs to be included to retrieve the output from “Automation Job Get AD Group Members”.“Automation Job Get AD Group Members” starts the automation Runbook that pulls the ad group members using Get-ADGroupMemeber with the AD module installed on the hybrid worker.*Use Azure Automation encrypted variables instead of passing the password in plain text. *Make sure to force TLS 1.2 on line 14 if you are using a Server 2016/19/Semi-Annual Azure IaaS VM or this will not work $search = "search INSERT YOUR SPLUNK QUERY" # Cmdlet handles urlencodingĮarliest_time = -Method Post -Uri $url -Credential $cred -Body $body $url = " # braces needed b/c the colon is otherwise a scope operator $server = ' INSERT YOUR CLOUD SPLUNK SERVER i.e. # Use TLS 1.2 Required if your server is running as IaaS in Azure $Cred = New-Object -ArgumentList ($username, $password) $password = ConvertTo-SecureString "$infosecpassword" -AsPlainText -Force $infosecpassword = " INSERT YOUR SPLUNK API ACCOUNT PASSWORD" $username = " INSERT YOUR SPLUNK API ACCOUNT" # -d output_mode=json -d earliest="rt-5m" -d latest="rt" # $ curl -k -u admin:changeme # -data-urlencode search="search index=_internal | stats count by sourcetype" # example using curl, to PowerShell with Invoke-RestMethod cmdlet Splunk API Account has permission to query Mobile Iron indexĬreate Azure Automation Runbook (I Prefer Graphical but regular works fine, but you will have to pass JSON as string for parameters in the Logic App).Hybrid worker IP subnet has permission/fireweall rules to query Splunk Cloud.Azure Automation Account is setup and Hybrid worker is registered.Splunk Cloud and Mobile Iron App integration is already setup. ![]() This Splunk query pulls the action unique to what I am trying to alert on, but can be modified to any Splunk search. In this example I created a notification that notifies the Admin when Mobile Iron “actionType=INSTALL_MDM_PROFILE” occurs. Using Azure Automation, Logic App, and an O365 mailbox you can create a workflow that notifies your admin when a new user is enrolled in MDM using a Splunk index. Query Splunk with Azure Automation PDF Intro. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |