Importing Device42 Inventory into Splunk

To maximize the effectiveness of your SIEM you need ‘context’. By importing Assets and Identities into Splunk you can gain contextual awareness of what is happening across your systems.

Rather than a flood of IP addresses, your SIEM can be aware of the Applications, People and Systems being targeted.

By using Device42 to discover, classify and link your

  • devices
  • systems
  • applications
  • classifications

All that information can be brought into Splunk. Databl loves to get systems talking!

To get these two systems talking we’re going to use Splunk’s DB-Connect to make a JDBC call to the Device42 using the Device42 custom JDBC Driver.

So, the steps will be:

  1. Set up Splunk DB Connect (not covered here!)
  2. Upload the Device42 JDBC driver
  3. Define your new driver (define it – because its not standard)
  4. Save some credentials
  5. Run a Query

Uploading the JDBC Driver

Assuming you’ve got DB Connect up and running, you’ll notice a list of pre defined JDBC drivers, MSSQL, Oracle, Aurora etc. Now Devce42 isn’t there, but we can add it.

Upload the driver to the same driver path in Splunk DB Connect,

splunk_app_db_connect/drivers

JDBC Driver

Defining the Driver

Now create a file to define the database connection types, for our new driver. If you look in defaults you see examples from all the existing ones. Follow that style.

splunk_app_db_connect/local/db_connection_types.conf

Now edit the file to have a stanza like this

DB Connection Type

Once thats done, if its all gone to plan, you’ll be able to reload the drivers on the Splunk DB Connect page to see your new driver is available and ready for some connections.

Driver List

Saving the credentials

Go ahead and make an identity to store the credentials, then your good to make a connection. If you want to test the driver, browse the schema before you go to Splunk, you can use SQL workbench to test the JDBC drivers. Supply all the details, and make a connection.

Connection Properties

Running the Query

Now you have a connection, you can take DOQL (Device 42 query language) and pull any data you want. take that data, map it to the Splunk Data Models, and everything will light up!

So hopefully this gives you some ideas on what’s possible with Splunk and SIEM’s when they have all the information they need to make sense of all the data flowing through them. If you need help, or guidance on how to integrate your own system reach out to Databl for anything Splunk, Device42 or integrations related – good luck!