Splunk Enterprise is an analytics-driven SIEM made of five distinct frameworks that can be leveraged independently to meet a wide range of security use cases including compliance, application security, incident management, advanced threat detection, real-time monitoring, and more.
With Splunk, organizations can improve security and better manage risk by integrating teams, processes, and tools. Security teams can automate tasks, orchestrate workflows, and support a broad range of security operations center (SOC) functions including incident management, collaboration, and reporting.
SIRP’s Splunk integration app allows you to execute the following actions:
Get User Events
Get event related to the specified user
Get Custom Alerts
Get Custom Alerts from Splunk
Splunk Alert Configuration
Set Splunk to Send Alerts via Email
Below mentioned are the steps to get Emails from Splunk Alert.
1. Login to the Splunk web console.
2. From the left navigation bar, click on Search & Reporting.
3. Under Search type select All time
4. To save your search as an alert, click Save As from the search page.
5. Click Alert, and a configuration window will pop up.
6. Next, save your search as an alert.
Alerts monitor your data and alert you when the specified trigger conditions are met.
7. Select the Alert that you want to send to SIRP.
8. Set your alert type to All-time.
9. Set trigger conditions, these conditions let you specify what triggers your alert.
You can trigger an alert on a per-result basis, by the number of results, by the number of hosts, by the number of sources, or even with a custom trigger condition.
10. To add the email alert action, go to Trigger Actions and select Add Actions > Send an email.
11. Insert the email address in To.
12. Set the Subject according to the Alert title.
13. Insert Message body as per Alert description.
14. Lastly, click the Save button to save the configuration.
1. Next, log in to SIRP, then go to Apps from the left navigation bar
2. Locate the app named Splunk
3. Enable the Splunk app by clicking on the toggle button under the Status column.
4. As soon as you enable the App, you will get an option to add the configuration details. Add the following details and click Save:
a. Base-URL: <IP/URL of spunk instance>
b. Username: <Username to Login Splunk>
c. Password: <Password to Login Splunk>
For Ingestion Source
1. Go to Administration => Apps =>Ingestion sources and insert the required information according to the displayed configuration windows.
2. Set the Ingestion method to Email.
3. Set Ingestion type to Incident.
4. Set Actions to get_custom_alerts.
5. The folder name should be distinctive such as Splunk.
6. Click the Create button to save the configuration.
After the last step, SIRP will start collecting alerts from Splunk's dedicated Mailbox.