Splunk SIEM
Splunk Enterprise is a security information and event management (SIEM) platform that can be used with Bitwarden organizations. Organizations can monitor event activity with the Bitwarden app on their Splunk Enterprise dashboard.
note
The Bitwarden Splunk integration is currently supported for Splunk Enterprise on-premises.
Installing the Bitwarden app on Splunk Enterprise requires an account with Splunk Base.
Once you have a Splunk Base account, the next step is to install Splunk Enterprise. Follow the Splunk documentation to complete an install of the self-hosted Enterprise software.
note
The Bitwarden app is currently supported on Splunk Enterprise's Linux x64 architecture.
Before connecting your Bitwarden organization to Splunk Enterprise, create an index that will maintain Bitwarden data.
1. Open the Settings menu located on the top navigation bar and select Indexes.
2. Once you are on the indexes screen, select New Index.
3. A window will appear for you to create a new index for your Bitwarden app.
4. In the Index Name field, enter bitwarden_events.
note
The only required field for the index creation is Index Name. The remaining fields can be adjusted as needed.
5. When you are finished, select Save.
After your Bitwarden index has been created, navigate to the Splunk Enterprise dashboard.
1. Select the cog icon next to Apps.
2. Select Browse more apps located at the top-right on the screen.
.avif?eu=da8d57b7e19cfdd5093da2d06d70316be46c5efaf65435d53c35e4ae4dafcbd075f04f54299d2cb82f6c0b88dae211bc6f9029694cecd4de94e94dfdbf60fb0b05d55dbb31b67252007d95ade1fd54173ecf1000e5c7884ba9726d8db8e2e0255a4e4f6ffe2bfbc2b9ed767aeed66b2dedf4f87d2398aa2ee84f1953d41f2fb426c4c79a7358b6c6d368bea084f55599e19c6e18488fa26326211d490bed7beaf3b152796f7b415835caae589330c4e33e1b3571413c50b5326f8e16a33375ace6fba35ec47a7ffca9ca5e21c2acac9eed1db22f7388af5ac6ed3915104df244&a=w%3D1700%26h%3D324%26fm%3Davif%26q%3D75&cd=2023-04-26T11%3A56%3A43.445Z)
3. Search Bitwarden Event Logs in the app catalogue. Select Install for the Bitwarden Event Logs - Linux x64 app.
.avif?eu=dc8f53b5e4caaf86086df5813b716469e63950aff70064d93b64b7a648ad98d52cfa1000209678e57e680e8bd2e642eb319371371cedd3d9c6b81ea0b93cf85d51d008bb6ebb2100052890f6e2f10c1d2c825a1bab9cd751fe3c2581a6ade4344f015f68fd3efb9fb2fc717bb7c17161aceca7786d9fec7fff17271ea95c05ab24f2cbac5374eccfc17a95b8a6fb73d2cde0290314dda5337023491b50bc25e9a5bb50253d2b480e3dcaa95892609fe0237f32610b0a5db43f65943af96c33c0f9fba540db7f14b0eca6326e82c6b081e575cc571988cd48b7c2652d&a=w%3D350%26h%3D119%26fm%3Davif%26q%3D75&cd=2023-04-26T11%3A56%3A43.396Z)
3. In order to complete the installation, you will need to enter your Splunk Base account. Your Splunk Base account may not be the same credentials used to log into your self-hosted Splunk Enterprise instance.
4. After you have entered your information, select Agree and Install.
note
You may need to restart Splunk following the Bitwarden app install.
Once the Bitwarden Event Logs app has been installed in your Splunk Enterprise instance, you can connect your Bitwarden organization using your Bitwarden API key.
1. Go to the dashboard home and select the Bitwarden Event Logs app.
.avif?eu=898606b4e5cefc81066fa2866b77316db66e02a3f70265d13565b5ae46acc8d727a0195c23937ae37a690eded3e941be31c32a614dbcd7dac0b51fa0eb63a95e548253ee60b62453502f97adb1fd0210629e5e1ce1c0c217bc342f85b2e6f46e4a144a7aeb39edc5afb76b31f49c2870b4e5e0746494a325a7154150a36e34bb23e7ca9e4149b291f71798a5bfc06d9efcf82f0745d3fa6374251a175cb925bdf6e356793a7c1209319faf589165c4b03f147e400d1d56a23979880abf0333c3e6f8bc5dda6779e5c798751f87ddac87f318ac45169aa048abed253a505a&a=w%3D850%26h%3D300%26fm%3Davif%26q%3D75&cd=2023-04-26T11%3A56%3A43.382Z)
2. Next select Setup from the top navigation menu. This is where you will add your Bitwarden organization's information.
3. Keep this screen open, on another tab, access your Bitwarden web vault. Open your organization and navigate to Settings, Organization info, and View API key. You will be asked to re-enter your master password in order to access your API key information.
2. Copy and paste the client_id and client_secret values into their respective locations on the Splunk setup page.
Complete the additional fields as follows:
Field | Value |
|---|---|
Index | Select the index that was created previously in the guide: |
Server URL | For self-hosted Bitwarden users, input your self-hosted URL. Be sure that the URL does not include any trailing forward slashes at the end of the URL " |
warning
Your organization API key enables full access to your organization. Keep your API key private. If you believe your API key has been compromised, select the Rotate API key button on this screen. Active implementations of your current API key will need to be reconfigured with the new key before use.
3. Select Submit.
4. Once you have completed the setup, restart Splunk Enterprise. To do this, head to Settings → Server controls → Restart Splunk.
To start reviewing data, you can set up a search macro. A Splunk search macro is a reusable search query that can be applied to your dashboard.
1. To add a search macro go to Settings on to top navigation bar. Then, select Advanced Search.
.avif?eu=8a8803e1b699aed4063df58368766660e73b02aea80565d26960e6fe1dadcb862df61c04219129b5296a0edcd2b14aef60cf2e691ee8d8dac0e81fa1bb31aa5a53835aec31e52601042bccfee6f005133bc44b0ca1d6cc5ef6697b80e6b1b0721b041a2eaa79b2d9a8ed7527ba9c306bb7e7f17b26dcf83cb6431d179e5c32e23aeed4c1345cb09df645eeb0e6f44eca83e5686d28da8f3622012e17199679bdacd47376705c214432c6fd5fc564c3e0384d6221565807f161688400a86e6491edaff05a8b7273e6b7aa6232d396f0c3b545e84574e7cd24b48238670c05c342e9d372e9d366180d82458be823dd016a2b00dc4b&a=w%3D850%26h%3D155%26fm%3Davif%26q%3D75&cd=2023-04-26T11%3A56%3A43.358Z)
2. Next, select + Add new. Once you are on the create macro screen, complete the following fields:
Field | Definition |
|---|---|
Destination app | The app that this macro will be applied. The Bitwarden destination app is |
Name | The name of the macro. The macro you are using takes arguments appended to the name of the macro. The macro name for Bitwarden is |
Definition | This field will contain the string that the search macro expands upon when it is referenced in searches. Included arguments will be enclosed in dollar signs, such as $arg$. Input |
Arguments | Input arguments in a comma-delimited string of argument names. Argument names may only contain alphanumeric, "_", and "-" characters. This field is not required for creating the macro. |
Validation Expression | Enter an eval or boolean expression that runs over macro arguments. This field is not required for creating the macro. |
Validation Error Message | Enter a message to display when the validation expression returns This field is not required for creating the macro. |
3. Once you have input all information into the macro forum, select Save.
Next, setup which user roles will have permission to use the macro:
1. View macros by selecting Settings → Advanced Search → Search macros.
.avif?eu=8dda02e3ebc9a88f0e6ff3d76823693ae23f53fefd0736d73e32e7fb1bae9fd570fa1d5476967ce07e3d0e8cd4e540bd66c37d331fbf8589c8b819f0bc67ff0100d20fbb66b37401037990f9e1f552176c944809a181cd01a26d24d1e7b7e6251a551a7eab28b9d0e6f17120f0c0252df5effb7f3297e866b3560805885b24b827a5ce8b7701e98cee4ca9bcefff0190dbe0320142a6975f6b162d5e2e906bd3a6ef5a127120083151d1ab0e926093e2681d66215d5756a26768d753fa393996b0ffa95bdd2b7ab4ab9a2e13d581fbd5b359f4753288cd27ab81267a0d10ae1bc2ed3f98d67a040c9f2ef9fa2ccf6c6a372f9c5cd773&a=w%3D850%26h%3D404%26fm%3Davif%26q%3D75&cd=2023-04-26T11%3A56%3A43.416Z)
2. Select Permissions on the macro you would like to edit.
.avif?eu=8b8e02b7eac0f9875a6fa1863e74676fb46c01f8af0565863a67e6ab4caecf8f2cf11f56279729e27f3d5bd9d5b245b363c67f621db88388c7bb1aa5ec63fb0b50d259bf64b32504027dc4feb4f0534660c74c50a382cc0da56b7ad1e0e0b3794a534d29fb7ab1d5bfff6137badb6b76aaf5ac317a9bf629b7471d4a985c27ad27f8c59a7000b09bf400e8a4b0fa4f979db1255a07dcec367610127e2b9b49bbedf5580565721111528eaf2f837ec3e33e1a6223565b05f66432d006fb686591e1fea80ed02f2ae4aa9c3022d797b1e3be58f97f28a49778eded397a0c0eb113aea179ffbd3542618534f99752b6026a553ded738b4b3e996608&a=w%3D450%26h%3D248%26fm%3Davif%26q%3D75&cd=2023-04-26T11%3A56%3A43.366Z)
3. Edit the following permissions:
Field | Description |
|---|---|
Object should appear in | In order to use the macro in event searching, select This app only. The macro will not apply if Keep private is selected. |
Permissions | Select the desired permissions for user roles with Read and Write access. |
4. Once you have edited your desired permissions, select Save.
note
Only one search macro will be functional on the app at a given time.
The Dashboard will provide several options for monitoring and visualizing Bitwarden organizational data. The three primary categories of data monitoring include:
Bitwarden authentication events
Bitwarden vault item events
Bitwarden organization events
The data displayed on the dashboards will provide information and visualization for a broad variety of searches. More complex queries can be completed by selecting the Search tab at the top of the dashboard.
While searching from the Search page or Dashboards, searches can be designated to a specific timeframe.
.avif?eu=dddd52b3e79efad50939a8d63c243560e23b57a9fe5937d26b35b1ac48ae96852ca64a5522952cb728685a8fd4e411b362c02e6310e6d8dcc2bd18f4ea64fb0b028a5dbc33b42504572b90fee5a304436b971c50f5d1ca09f06c2180e0e1bf231f501828ab7eb9d0bdff3c31b5822633b9b7f32f6f9aef3ca051544bd4412cad33eed3c0605ab89ff35cbaa2adb75798d8f82a451e88b56f232144421fea32f1fcf86032717333264e92db5ca309eaeb651e0449415e56fe363c8201fd6d65cae5fea259de7e7be4f9cf63218e92abd1b849a82a27f8ac74ebd76e244d55f357c2be7bf5d179060a9c2bf9fa1df66c062b4286028b2c4fb94530e305ebff07cd7f&a=w%3D687%26h%3D557%26fm%3Davif%26q%3D75&cd=2023-04-26T11%3A56%3A43.470Z)
The following timeframes are supported for Bitwarden event logs searches:
Month to date
Year to date
Previous week
Previous business week
Previous month
Previous year
Last 30 days
All time
Setup specific searches by including search queries. Spunk utilizes its search processing language (SPL) method for searching. See Splunk's documentation for additional details on searches.
Search structure:
search | commands1 arguments1 | commands2 arguments2 | ...
An example of a standard search result object:
The fields shown in the standard search object can be included in any specific search. This includes all of the following values:
Value | Example result |
|---|---|
| The email of the user performing the action. |
| Unique id of user performing action. |
| Name of the user performing an action. |
| Date of event displayed in |
| Numerical number to identify the device that the action was performed on. |
| Splunk computed data hash. Learn more about Splunk's data integrity here. |
| The ip address that performed the event. |
| Email of the organization member that the action was directed towards. |
| Unique id of the organization member that the action was directed towards. |
| Name of organization member that action was directed towards. |
| The event type code that represents the organization event that occurred. See a complete list of event codes with descriptions here. |
Search all:
sourcetype="bitwarden:events" type=*Filter results by a specific field
In the following example, the search is looking for actingUserName with a * wildcard which will display all results with actingUserName.
sourcetype="bitwarden:events" actingUserName=*The AND operator is implied in Splunk searches. The following query will search for results containing a specific type AND actingUserName.
sourcetype="bitwarden:events" type=1000 actingUserName="John Doe"Include multiple commands by separating with |. The following will show results with the top value being ipAddress.
sourcetype="bitwarden:events" type=1115 actingUserName="John Doe" | top ipAddressSet user roles
Manage users roles to allow individuals to perform specific tasks. To edit user roles:
1. Open the Settings menu on the top navigation bar.
2. Select Users from the bottom right corner of the menu.
3. From the users screen, locate the user that you wish to edit permissions for and select Edit.
.avif?eu=d88b54e5b6c0fe8e076bf585607a313ae26b57aeac0060856c35e5a946aa9f8671fb1d5c28c02cb92d6f0e8a85b542e867c42a6348bcd4d9c3b91dfde230fc5e01d209ed64e77604587ec5f8e6f00f413bc01e0da3d6990ff56e7781e4bbb7251308586fe839b29ef3f06835e7d66c2cb9f2f07f2681fe3ca30c00018f0776be3ae8d6843248e693f718f0e39df76d87dba77546268ead6440324a1c50a84be4dcad0574387c4252309ffd59926190e06d48642058560ba5613ed804a83f67c6e4fbbe3e8a382eb4f68a692fc2acac80ef19b12a72face24c6d37f150713a81bb3b87398a31969618345e4d512e5&a=w%3D450%26h%3D488%26fm%3Davif%26q%3D75&cd=2023-04-26T11%3A56%3A43.390Z)
From this screen, details for the user can be filled out. Permission such as admin, power, and can_delete can be individually assigned here as well.
Delete data
Delete Bitwarden search data by clearing the index with SSH access. Data may need to be cleared in instances such as changing the organization being monitored.
1. Access the Splunk directory and stop Splunk processes.
2. Clear the bitwarden_events index with -index flag.
3. Restart Splunk processes.