Get Started

Getting Started

Deploy

Onboard and Manage Accounts

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Additional Providers

Collect and Integrate Data

Harvesting & Event-Driven Harvesting

Integrations

Understand Data

Visibility & Reporting

Inventory

Query Filters & Insights

Manage and Act on Data

Bots & Automation

Infrastructure as Code (IaC) Security

Cloud IAM Governance

Vulnerability Management

Workload Security

Manage System Settings

InsightCloudSec System Configuration

Developer Resources

APIs

Support

Splunk Integration

The Splunk integration provides InsightCloudSec the ability to send notification messages to your Splunk indexes and is compatible with all InsightCloudSec Resources. This integration can be used to send high priority security alerts when noncompliant Security Group rules are provisioned, such as SSH open to the world.

Prerequisites

A functioning InsightCloudSec platform installation with an admin role
The appropriate permissions to access the Splunk instance details

For general information about Integrations (editing and deleting), refer to the Integrations Overview page.

If you need help with this integration, contact us through the Customer Support Portal.

Splunk Configuration

To get Access Points for your Splunk instance, refer to the following steps:

Access your Splunk instance.
Note the name of the instance.
- In the example below, the instance name is 'splunk.insightcloudsec.net'.
- You will also need the username and password for that instance.
Alternatively InsightCloudSec also supports connecting to Splunk through an HTTP Event Collector via a token.
- If you're using Splunk Enterprise, follow the documentation here
- If you're using Splunk Cloud, follow the documentation here
- For this connection method you will need to create/save your HEC Token and HEC URL. Example HEC URLs are as follows:
  - For Splunk Enterprise, the HEC URL may look like https://<host>:<port>/services/collector/raw
  - For Splunk Cloud (AWS), the HEC URL may look like https://http-inputs-<host>.splunkcloud.com/services/collector/raw
  - For Splunk Cloud (GCP), the HEC URL may look like https://http-inputs.<host>.splunkcloud.com/services/collector/raw

Configuring InsightCloudSec for the Splunk Integration

Launch InsightCloudSec and navigate to Administration > Integrations.
Locate Splunk and select Edit.
Enter the Splunk Integration details based on your preferred connection method.
- For connection via instance/username/password provide the following:
- The instance URL (you obtained above)
- Instance username
- Instance password
- Your port - the port specification refers to the management port of your Splunk instance. (The default value set in Splunk is 8089.)
- Timeout (seconds) - InsightCloudSec populates this by default. This value can be modified to resolve timeout issues.
- HTTPS Scheme - this option refers to the protocol used to communicate with your Splunk instance. HTTPS/SSL is enabled by default in Splunk, but verify this is the case with your own Splunk instance.
- Send Product API Activity - this option enables InsightCloudSec to send API activity to your Splunk instance, e.g., Compliance Report generation, custom Insight creation, etc.
- For connection via HTTP Event Collector (HEC), you are only required to provide
  - the HEC Token
  - the HEC URL
Click to Save your configuration. You should receive a message (in green), confirming you have successfully saved the settings.
- Once your setup is complete, check out our documentation on Jinja2 templating to improve your messaging.

Example Bot Creation Using Splunk

After successfully setting up Splunk, you can configure the Splunk action within your InsightCloudSec Bot configurations. In the example shown below, you can specify the Splunk index where you’d like the events to go as well as the message sent for each event.

For detailed step-by-step instructions on using automation check out our documentation on Creating Bots.
- You can also check out Working with Bots (Best Practices & Examples) if you want to review some examples.

If the index of your choosing isn’t on the server, one will be created for you and all the events will go to that index. For more information on creating an index for Splunk, click here.

Once you’ve run your Bot with the Splunk action, go to your Splunk Instance window and view your indexes.

You should now see all of the noncompliant resources that InsightCloudSec identified logged as events in the Splunk index.

Did this page help you?

Integrations

Tenable.io Integration

Integrations

Jira Integration