Suricatavel Technology Add-on for Splunk
=========================================

This Technology Add-on (TA) provides CIM-compliant field mappings for
Suricatavel enriched security alerts forwarded via the HTTP Event Collector (HEC).

Installation
------------

Splunk Cloud:
  1. Go to Apps > Manage Apps > Install app from file.
  2. Upload the TA-suricatavel.tar.gz package.
  3. Splunk Cloud will propagate the configuration to the indexing tier.

Splunk Enterprise (on-premise):
  1. Extract the package into $SPLUNK_HOME/etc/apps/
  2. Restart Splunk, or use the deployer/cluster master for distributed environments.

Configuration
-------------

In Suricatavel, configure a Splunk HEC forwarding destination under
Settings > Forwarding. Set the sourcetype to "suricatavel:json" (this is
the default). The TA will automatically apply CIM field aliases and
parsing rules for the Intrusion Detection data model.

CIM Data Model Mappings
------------------------

  src                 <- source_ip
  dest                <- dest_ip
  src_port            <- source_port
  dest_port           <- dest_port
  dvc                 <- hostname
  threat_ip_address   <- ioc.value
  threat_source       = "Suricatavel Threat Intel"
  vendor_product      = "Suricatavel"

These mappings enable compatibility with Splunk Enterprise Security (ES)
and any dashboard or correlation search built on the Intrusion Detection
data model.

Enrichment Data Structure
-------------------------

All enrichment and indicator of compromise (IoC) data is nested within the
structured JSON payload and extracted automatically by Splunk under the
following field paths (for example):

  enrichment.geoip.country        - GeoIP Country Code (e.g. "US")
  enrichment.geoip.city           - GeoIP City Name (e.g. "Dallas")
  enrichment.geoip.asn            - GeoIP Autonomous System Number
  enrichment.geoip.org            - GeoIP Organization Name
  enrichment.geoip.lat            - GeoIP Latitude
  enrichment.geoip.lng            - GeoIP Longitude

  enrichment.abuseipdb.confidence_score   - AbuseIPDB Confidence Score
  enrichment.abuseipdb.total_reports      - AbuseIPDB Total Reports
  enrichment.abuseipdb.isp                - AbuseIPDB Internet Service Provider

  enrichment.virustotal.malicious         - VirusTotal Malicious Detections Count
  enrichment.virustotal.harmless          - VirusTotal Harmless Detections Count
  enrichment.virustotal.suspicious        - VirusTotal Suspicious Detections Count
  enrichment.virustotal.reputation        - VirusTotal Reputation Score

  enrichment.greynoise.classification     - GreyNoise Classification (e.g. "benign", "malicious")
  enrichment.greynoise.noise              - GreyNoise Noise Flag (true/false)

  enrichment.shodan.ports                 - Shodan Open Ports Array
  enrichment.shodan.vulns                 - Shodan Vulnerabilities Array

  ioc.value                       - Threat Intelligence IoC Value
  ioc.type                        - Threat Intelligence IoC Type (e.g. "ip")
  ioc.reputation_score            - Threat Intelligence Score (0-100)
  ioc.tags                        - Threat Intelligence Custom Tags Array


Support
-------

For questions or issues, refer to the Suricatavel documentation.
