Splunk
Usage
By connecting Splunk's robust data analysis capabilities with Netography's network insights, organizations gain real-time alerting, monitoring, and comprehensive views of their security landscape. This integration also streamlines workflows, aids in compliance reporting, and offers scalable solutions that adapt to evolving needs, thus providing a valuable tool for improving decision-making, security response, and overall efficiency.
Prerequisites
Before configuring the Splunk integration in Netography, you will need to have your webhook URL configured from Splunk. For more information, consult the Webhook configuration for Splunk.
Netography Portal Steps
In Settings > Response Integrations, click Add Integration. Select Splunk
Configuration
The following fields are specific to the Splunk integration.
| Field | Required | Description | Example |
|---|---|---|---|
URL | yes | The webhook URL from Splunk | https://splunkhec.example.com:8088/services/collector/raw?token=<exampletokenvalue> |
Skip SSL Verification | no | If checked, the server certificate will not be validated against the available certificate authorities. | |
Headers | no | Comma separated list of header: value pairs | X-Netography: Webhook |
After your configuration is submitted, the Splunk integration will be treated as a standard webhook integration in the Fusion portal.
Authentication
The following fields are necessary for the integration to authenticate using HTTP Basic Auth.
| Field | Required | Description |
|---|---|---|
Username | no | HTTP Basic Auth ID |
Password | no | HTTP Basic Auth password |
Additional post configuration
After the Splunk configuration is setup, you will need to configure a Response Policy in the Fusion portal and a custom Logparser in Splunk.
Configure a Response Policy to Sent Events to Splunk
You can configure response policies in the portal by navigating to Response -> Response Policies -> Add Response Policy.
Configure Splunk Custom Logparser
To configure the custom Logparser from Splunk, follow the Logparser guide.
To get logs from the Fusion Portal, to use for the Logparser, go to Search -> Events, select an event. view the raw record from the properties tray, select the JSON tab, and click the top level clipboard icon as shown below:
Updated 2 months ago