Splunk SIEM Integration

Overview

This guide is intended for administrators who wish to integrate INKY’s extended logging capabilities directly into their Splunk Cloud Console. INKY will send event logs directly to Splunk’s HTTP event collector using JSON. After completing the steps below, please contact support@inky.com to initiate the JSON event feed.

For a more detailed guide, please see Splunks' HTTP event collector setup guide.

Settings

HTTP Event Collector

1. Login to your Splunk Cloud Console and navigate to Settings then Data Inputs.

Open

1. Select New Token at the top right of your console. Name the token and leave all other options default.

Open

1. On the input settings screen, set the source type to automatic. Splunk will then determine the type of data they are receiving through this input. You can manually specify JSON as the source type if you choose to.

2. Index: Choose the available indexes you would like to select. This section can be left blank if desired.

1. After your token has been generated, note the token value as shown below.

Please email the following information to INKY support (support@inky.com).

• Token Value

• https://<CLUSTER>:8088/services/collector/raw

  • In place of “<CLUSTER>” will be your assigned Splunk cluster. (e.g. prd-p-ksmsp.splunkcloud.com). This is the portion of the link you use to login to your Splunk Administration Console.

• Request Channel (optional) - A request channel is generally used to split similar event feeds to avoid any type of conflict. For example, if two event feeds provide similar (or identical) data, one may be faster than the other. In this scenario, you may want to use a request channel for each feed.

1. Once your SIEM feed has been enabled by INKY, you can start to review and analyze your event logs. Below is an example of an INKY dataset created from our message analysis results.