Configure the Splunk DB Connect Application

Configuring Splunk DB Connect:

  1. Click App: Search & Reporting > Splunk DB Connect.

Image shows configuration settings for Splunk DB Connect application

  1. Click Configuration > Settings.
  2. On the General tab, configure the path to your JRE installation on the machine hosting Splunk. The JVM Options and Task Server Port are configured by Splunk.

 

  1. Click Save to confirm your settings.
  2. Click the Databases tab, and then the Identities tab.
  3. Click New Identity. This is the identity (user) Splunk uses to authenticate to the BeyondTrust database to export events.
    • Enter an Identity Name you will use to identify the user.

New Identity setting for Endpoint Privilege Management integration with Splunk

    • You can either use SQL authentication as shown here, or you can use Windows authentication and any of the Endpoint Privilege Management Reporting accounts that are set up by the installer: ReportReader, Event Parser and Data Admin.

 

    • Click Save to confirm your identity.

Use the default permission Splunk Enterprise provides on the Permissions tab.

Connections settings for Endpoint Privilege Management integration with Splunk

  1. Click the Connections tab. This is where you configure the database you will connect to.
    • Enter a Connection Name. This is to identify the connection in Splunk.
    • Select the Identity you created from the dropdown list.
    • Select the Connection Type, MS SQL Server Using MS Generic Driver.
    • Enter the host IP address of your database server. Leave the port as the default 1433.
    • Enter the Default Database as the one containing your Endpoint Privilege Management Reporting data.
    • You can choose to configure the additional options if they are relevant for your environment.
    • Click Save to save your connection. This will also validate the connection.

     

Use the default permission Splunk Enterprise provides on the Permissions tab.

  1. Click the Data Lab tab and click New Input on the right-hand side.
    • Enter a Name for you to identify the new Input by. You can also enter a Description if required.
    • Leave the App dropdown list as Splunk DB Connect.
    • Select your Connection from the dropdown menu. This also validates it.

    Inputs configuration for Endpoint Privilege Management integration with Splunk

  2. Click Continue. This allows you to choose and preview a table. You can now import the Export Views into Splunk. These are ExportDefendpointStarts, ExportDefendpointLogins, ExportPrivilegedAccountProtection, and ExportProcesses. This example uses the ExportDefendpointStarts view.
    • Select Rising Column. This ensures the events from the Reporting database are incremented rather than retrieving the same events repeatedly.
    • You can manually type a SQL query into the field or select the Checkpoint Column and the Checkpoint Value. Use a ? as a placeholder in your SQL query for the Checkpoint Value as you set this manually.

 

Input types for Endpoint Privilege Management integration with Splunk

    • Click Execute to search for the specified events in the Reporting database. This does not insert them into Splunk.

 

You can modify the SQL query to filter your results. This will help limit the data imported into Splunk Enterprise and your associated costs. For example, this SQL query imports events where the Endpoint Privilege Management version is 4.3.349.0 only.

SELECT *
FROM exportdefendpointstarts
WHERE sessionid > ?
AND AgentVersion='4.0.349.0'
ORDER BY sessionid asc
  1. Click Execute to search for the events in the Reporting database. These are displayed below.
  2. Click Continue. Set parameters for the input here if required.
  3. Click Continue. Each event imported into Splunk has the metadata you configure here as part of it. You can configure a new Sourcetype from the Settings menu on the top-right if required.
  4. Click Save to confirm your Input Type and start importing events into Splunk.

Repeat steps 7 to 11 for each of the Export Views.