Splunk
Copy link

The Splunk data exporter allows you to send SIEM (InsightIDR) alert data and alert user statistics to Splunk to be recorded and analyzed.

ℹ️

Want to explore more options for exporting data to Splunk?

If you have a license for Automation (InsightConnect), you can configure workflows to export data to Splunk.

To set up Splunk:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Splunk to collect data to SIEM (InsightIDR).
  3. Configure SIEM (InsightIDR) to send data from the data exporter.
  4. Test the configuration.

Requirements
Copy link

Ensure that your system meets the following requirements:

  1. You must have a license for Splunk.
  2. You must configure the Splunk inputs.config file.

Configure Splunk to collect data from SIEM (InsightIDR)
Copy link

To configure Splunk to collect data from SIEM (InsightIDR), you must configure the inputs.config file. To do so, follow Splunk’s documentation: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Monitornetworkports

Configure SIEM (InsightIDR) to send data to the data exporter
Copy link

After you complete the prerequisite steps and configure the data exporter to collect data, you must add the data exporter in SIEM (InsightIDR).

To configure the new data exporter in SIEM (InsightIDR):

  1. From the left menu, go to Data Collection and click Data Exporters.
  2. Click Add Data Exporter.
  3. Select Splunk as the Data Exporter Type.
  4. Name the data exporter.
  5. Select a collector.
  6. In the Hostname field, enter the FQDN or the IP address of the machine that hosts your Splunk configuration.
  7. In the Port field, enter the TCP port that Splunk will use to accept logs from SIEM (InsightIDR).
  8. Select the Data Export Types that you want to retrieve from the SIEM (InsightIDR) logs.
  9. Click the Save button.

Test the configuration
Copy link

To test the configuration, search within Splunk to validate whether the SIEM (InsightIDR) data is being received.