Splunk Integration
The Splunk HTTP Event Collector (HEC) allows you to send data and application events to a Splunk distribution over HTTP and HTTPS protocols. The HEC uses a token-based authentication model.
The steps and guidance provided below will ensure a successful integration.
Integration Steps
From the left menu go to Company Settings > SIEM Integrations and click the + NEW button and provide the information requested.
Integration Name
SIEM configuration name.
History Logs
Select this option to ensure that all data in the audit log will be transferred to your SIEM solution.
If this feature is inactive, only the audit log data recorded after defining the SIEM integration will be transferred to your SIEM solution.
Integration Type
Select Splunk integration type.
URL
The URL address of your Splunk solution.
Secret Token
Define Secret Token.
Test Connection
Test the connection to be sure it works correctly.
How to Get the Splunk URL Address
To learn the URL address of the Splunk product, log in to the Splunk management console, then click Data Inputs in the Data field from the Settings section at the top. In the Data Inputs window that opens, click on HTTP Event Collector (HEC).
Click the Global Settings button in the upper right of the HTTP Event Collector page.
Retrieve the Splunk URL and the HTTP port number to be entered in the URL field of the platform.
How to Get Secret Token
Log in to the Splunk management console, then click Data Inputs in the Data field from the Settings section at the top. Next, click on HTTP Event Collector (HEC) in the Data Inputs window.
Click the New Token button on the upper right of the HTTP Event Collector (HEC) page.
Complete the Name field and click the Next button.
Click the Select button to apply the resource type specified in the Input Settings page to the data.
Choose select_json (JavaScript Object Notation format) from the Structured field of the window that opens.
Click the Review button. After verifying the selections in the Review field, click the Submit button.
After receiving a message indicating that the token has been created successfully, you can copy the Token Value created here and use it in the relevant field of the platform.
Control Phase
In order to make sure that the integration works and logs are being transferred from the platform to the Splunk product properly, a test is advised.
After performing the integration, click the Start Searching button on the Splunk administration panel.
When you click the Test Connection button on the platform, you can see this request or other platform logs in the Search field on the Splunk administration panel.
Last updated