Getting Started
Trust CenterTourStatusPageSupport
Start typing to search…

Create Splunk integration

The Stairwell App for Splunk allows users to enrich their Splunk logs with Stairwell analysis. The app provides a stairwell streaming command that can be used to pull intelligence on file hashes, hostnames, and IP addresses that appear in your Splunk data.

Compatibility

The Stairwell App for Splunk is compatible with both Splunk Enterprise and Splunk Cloud, with platform versions 9.4 and 10.0.

Installation

  1. From your Splunk dashboard, click the Apps dropdown and select Find More Apps to open the Browse More Apps page.

  2. In the search bar on the left sidebar, search for "stairwell". You should see a single result.

  3. Click the green Install button and proceed with the installation process.

  4. When prompted, enter the following information:

    • Authentication Token Generate this in the Stairwell app by visiting the Auth Token Settings page.

    • Organization ID Available on the Organization Settings page.

    • User ID (Optional) Found on the Settings page. This increases your rate limit but is not required.

After submitting the form, you’ll be redirected to the app landing page. You’re ready to start using the stairwell command!

Usage Examples

First, verify that Splunk can communicate with the Stairwell enrichment API. You can do this using the simple search below, which enriches a synthetic event containing a client_ip field:

| makeresults | eval client_ip="8.8.8.8" | stairwell ip=client_ip

You can perform similar searches for hostnames and file hashes. Note that file hash enrichment is only returned if the object exists in your Stairwell environment.

| makeresults | eval remote_hostname="google.com" | stairwell hostname=remote_hostname
| makeresults | eval object_hash="<insert hash here>" | stairwell object=object_hash

How best to invoke the stairwell streaming command depends on the types of events your Splunk instance contains. Here are additional examples showing how to combine various event sources with Stairwell enrichment:

  • Enrich all objects referenced in a Crowdstrike log file for a specific host:

    source="crowdstrike.json" host="Macbook-Pro.local" sourcetype="_json" | stairwell object="event.Process.SHA256"

  • Given Crowdstrike RTR invocations, enrich all file hashes referenced by a specific endpoint request:

    index="crowdstrike_raw" "event.Attributes.request_path=/real-time-response/entities/extracted-file-contents/v1" 
| rex field="event.Attributes.request_query" "sha256=(?<hash>.*)" 
| stairwell object="hash"

Troubleshooting

Below are some common issues and their solutions. If you encounter an issue not covered here, please contact [email protected].

Updated Organization ID / Auth Token Not Saving

This is a known but sporadic issue. Solution: Uninstall and reinstall the app in your Splunk instance to re-enter updated credentials.

App Landing Page Not Loading (404 Error)

This typically indicates that Splunk role configuration is blocking the user or app from accessing required UI components. Solution: Use the Search and Reporting app’s UI to access the stairwell command. It provides identical functionality.

Appendix

The source code for this app, along with other Stairwell external integrations, is available on GitHub: https://github.com/stairwell-inc/integrations

Updated about 16 hours ago