All Collections
Integration Guide
Splunk Email-based Integration
Splunk Email-based Integration
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

Introduction

Splunk Enterprise is an analytics-driven SIEM made of five distinct frameworks that can be leveraged independently to meet a wide range of security use cases including compliance, application security, incident management, advanced threat detection, real-time monitoring, and more.

With Splunk, organizations can improve security and better manage risk by integrating teams, processes, and tools. Security teams can automate tasks, orchestrate workflows, and support a broad range of security operations center (SOC) functions including incident management, collaboration, and reporting.

Supported Actions

SIRP’s Splunk integration app allows you to execute the following actions:

Action

Description

Get User Events

Get event related to the specified user

Get Custom Alerts

Get Custom Alerts from Splunk

Splunk Alert Configuration

Set Splunk to Send Alerts via Email

Below mentioned are the steps to get Emails from Splunk Alert.

1. Login to the Splunk web console.

2. From the left navigation bar, click on Search & Reporting.

3. Under Search type select All time

4. To save your search as an alert, click Save As from the search page.

5. Click Alert, and a configuration window will pop up.

6. Next, save your search as an alert.

  • Alerts monitor your data and alert you when the specified trigger conditions are met.

7. Select the Alert that you want to send to SIRP.

8. Set your alert type to All-time.

9. Set trigger conditions, these conditions let you specify what triggers your alert.

  • You can trigger an alert on a per-result basis, by the number of results, by the number of hosts, by the number of sources, or even with a custom trigger condition.

10. To add the email alert action, go to Trigger Actions and select Add Actions > Send an email.

11. Insert the email address in To.

12. Set the Subject according to the Alert title.

13. Insert Message body as per Alert description.

14. Lastly, click the Save button to save the configuration.

SIRP Configuration

1. Next, log in to SIRP, then go to Apps from the left navigation bar

2. Locate the app named Splunk

3. Enable the Splunk app by clicking on the toggle button under the Status column.

4. As soon as you enable the App, you will get an option to add the configuration details. Add the following details and click Save:

a. Base-URL: <IP/URL of spunk instance>

b. Username: <Username to Login Splunk>

c. Password: <Password to Login Splunk>

For Ingestion Source

1. Go to Administration => Apps =>Ingestion sources and insert the required information according to the displayed configuration windows.

2. Set the Ingestion method to Email.

3. Set Ingestion type to Incident.

4. Set Actions to get_custom_alerts.

5. The folder name should be distinctive such as Splunk.

6. Click the Create button to save the configuration.

After the last step, SIRP will start collecting alerts from Splunk's dedicated Mailbox.

Did this answer your question?