About Splunk Cloud
Splunk Cloud is a cloud-based platform that allows organizations to search, monitor, and analyze machine-generated big data via a web-style interface. Integrating Splunk Cloud with SIRP enables security teams to automate tasks such as incident creation, updates, and synchronization of comments, thereby enhancing response efficiency and reducing incident resolution time.
Supported Actions
SIRP's Splunk Cloud integration supports the following actions:
S.No | Action | Description |
1 | Fetch Notables | Retrieves notable events from Splunk Cloud |
2 | Update Notable | Updates the status or owner of a notable event in Splunk |
3 | Add Comment | Adds a comment to a notable event in Splunk |
4 | Fetch Comments | Retrieves comments from a notable event in Splunk |
Enable and Configure Splunk Cloud Integration
On Splunk
Step 1: Enable Splunk API Access
Splunk's REST API is enabled by default, but you must configure user roles and permissions to allow SIRP to interact with notable events.
1.1 Create an API User for SIRP
To read and edit notable events, perform the following steps:
Create a new role:
sirp_api
Navigate to Settings > Users and Authentication > Access Controls in Splunk Cloud.
Click on Roles, then New Role.
Name the role
sirp_api
.
Assign the following capabilities to the
sirp_api
role:edit_notable_events
list_search_jobs
search
rest_properties_get
rest_properties_set
Grant Index Privileges:
Ensure the
sirp_api
role has read/write access to the following indexes:notable
main
(if needed for searching)Other relevant security indexes
Create a new user (
sirp_user
):Navigate to Users > New User.
Set Username to
sirp_user
.Assign a secure Password.
Assign the
sirp_api
role to this user.Save the user configuration.
Step 2: Enable the Splunk Cloud App in SIRP
Log in to SIRP:
Access your SIRP instance using your credentials.
Enable the Splunk Cloud App:
Navigate to the Apps section from the left navigation bar.
Locate the app named Splunk Cloud.
Enable the app by clicking the toggle button under the Status column.
Configure the Splunk Cloud App:
Click the Configure icon next to the Splunk Cloud app.
Enter the following configuration details:
Configuration Name: <Your Configuration Name for Splunk Cloud>
Base URL:
https://<splunk-cloud-url>:8089
Username:
sirp_user
Password: <Password for
sirp_user
>
Click Save.