Usage

By connecting Splunk's robust data analysis capabilities with Netography's network insights, organizations gain real-time alerting, monitoring, and comprehensive views of their security landscape. This integration also streamlines workflows, aids in compliance reporting, and offers scalable solutions that adapt to evolving needs, thus providing a valuable tool for improving decision-making, security response, and overall efficiency.

Prerequisites

Before configuring the Splunk integration in Netography, you will need to create a new Token for the HTTP Event Collector. For more information, consult the HTTP Event Collector documentation for Splunk.

Netography Portal Steps

In Settings > Response Integrations, click Add Integration. Select Splunk

Configuration

The following fields are specific to the Splunk integration.

The webhook URL should point to the 'services/collector/raw' endpoint of the HTTP Event Collector, as described in [Splunk's Documentation] (https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector).

Ensure that the HTTP Event Collector port can be reached from Netography's "integrations" IP address, which can be obtained from the Settings Overview page in the Netography Fusion portal.

FieldRequiredDescriptionExample
URLyesThe webhook URL from Splunkhttps://splunkhec.example.com:8088/services/collector/raw
Skip SSL VerificationnoIf checked, the server certificate will not be validated against the available certificate authorities.
HeadersnoComma separated list of header: value pairsX-Netography: Webhook

Authentication

The following fields are necessary for the integration to authenticate using HTTP Basic Auth.

FieldRequiredDescription
UsernamenoName of the HTTP Event Collector Token
PasswordnoToken Value

📘

After your configuration is submitted, the Splunk integration will be treated as a standard webhook integration in the Fusion portal.

Additional post configuration

After the Splunk configuration is setup, you will need to configure a Response Policy in the Fusion portal.

Configure a Response Policy to Sent Events to Splunk

You can configure response policies in the portal by navigating to Response -> Response Policies -> Add Response Policy.