CloudSploit can integrate with Splunk via an HTTP collector endpoint. This endpoint is used in scans, alerts, and events reporting via CloudSploit. To create a Splunk integration follow these steps:
- Obtain your Splunk service's HTTP collector endpoint (HEC). For more information, see the Splunk Documentation.
- Obtain your HEC token from your Splunk service, or, ask your Splunk administrator to generate one for you.
- Log into the CloudSploit Console and navigate to the "Integrations" page (via the menu on the left-hand side of the page).
- On the right side, locate the box for "Add New Integration".
- Provide a name for your integration, such as "splunk"
- Under "Type," select "Splunk" from the drop-down list.
- Paste the Splunk endpoint you obtained in step 1.
- Paste the HEC token you obtained in step 2.
For "Flatten Results" use the following as guidance:
- "Yes" means that results sent to Splunk will be an array of results with plugin data provided at the top-level. For example, the payload will look like:
[ { event: { status: 0, message: 'User access key 1 was last used 0 days ago', region: 'global', resource: 'arn:aws:iam::123456789101:user/test', custom: true, account_name: 'my-account', category: 'IAM', test_id: 125, title: 'Access Keys Last Used' }, sourcetype: 'cloudsploit:scan_results', time: 1539821430.36 }, ... ] - "No" means that results sent to Splunk will be an array of plugins with results as a property. For example, the payload will look like:
[ { event: { account_name: 'my-account', category: 'IAM', description: 'Plugin description', id: 123, link: 'https://amazonaws.com/...', more_info: 'Plugin info', num_fail: 100, num_new_risks: 50, num_pass: 5, num_unknown: 1, num_warn: 10, query: 'pluginQuery', recommended_action: 'actions', results: [ { custom: false, message: 'Result message', region: 'us-east-1', resource: 'resource affected', status: 1 } ] }, sourcetype: 'cloudsploit:scan_results', time: 1539821430.36 }, ... ]
Once you have created the Splunk Integration, it will become available throughout the CloudSploit console for use with Scans, Events, and Alerts. To configure scan results to be sent to Splunk, follow these steps:
- From the CloudSploit console, Navigate to the "Scans" > "Report Deliveries" page via the menu.
- Click the "Third-Party Integrations" tab.
- Find your Splunk integration and select an option from the following:
- Send All Scan Reports for All Accounts -> Splunk will receive every scan report for every one of your connected accounts.
- Send New Risks Only for New Accounts -> Splunk will receive reports only when new risks are detected
- Customized Per Account -> Splunk will be disabled by default for all of your connected accounts, but can be overridden per-account via the pop-up box.