Skip to main content

Splunk Cloud Integration Guide

Ali Murtaza avatar
Written by Ali Murtaza
Updated over a month ago

About Splunk Cloud

Splunk Cloud is a cloud-based platform that allows organizations to search, monitor, and analyze machine-generated big data via a web-style interface. Integrating Splunk Cloud with SIRP enables security teams to automate tasks such as incident creation, updates, and synchronization of comments, thereby enhancing response efficiency and reducing incident resolution time.

Supported Actions

SIRP's Splunk Cloud integration supports the following actions:​

S.No

Action

Description

1

Fetch Notables

Retrieves notable events from Splunk Cloud

2

Update Notable

Updates the status or owner of a notable event in Splunk

3

Add Comment

Adds a comment to a notable event in Splunk

4

Fetch Comments

Retrieves comments from a notable event in Splunk

Enable and Configure Splunk Cloud Integration

On Splunk

Step 1: Enable Splunk API Access

Splunk's REST API is enabled by default, but you must configure user roles and permissions to allow SIRP to interact with notable events.​

1.1 Create an API User for SIRP

To read and edit notable events, perform the following steps:​

  1. Create a new role: sirp_api

    • Navigate to Settings > Users and Authentication > Access Controls in Splunk Cloud.​

    • Click on Roles, then New Role.​

    • Name the role sirp_api.​

  2. Assign the following capabilities to the sirp_api role:

    • edit_notable_events

    • list_search_jobs

    • search

    • rest_properties_get

    • rest_properties_set

  3. Grant Index Privileges:

    • Ensure the sirp_api role has read/write access to the following indexes:​

      • notable

      • main (if needed for searching)

      • Other relevant security indexes

  4. Create a new user (sirp_user):

    • Navigate to Users > New User.​

    • Set Username to sirp_user.​

    • Assign a secure Password.​

    • Assign the sirp_api role to this user.​

    • Save the user configuration.​

Step 2: Enable the Splunk Cloud App in SIRP

  1. Log in to SIRP:

    • Access your SIRP instance using your credentials.​

  2. Enable the Splunk Cloud App:

    • Navigate to the Apps section from the left navigation bar.​

    • Locate the app named Splunk Cloud.​

    • Enable the app by clicking the toggle button under the Status column.​

  3. Configure the Splunk Cloud App:

    • Click the Configure icon next to the Splunk Cloud app.​

    • Enter the following configuration details:​

      • Configuration Name: <Your Configuration Name for Splunk Cloud>

      • Base URL: https://<splunk-cloud-url>:8089

      • Username: sirp_user

      • Password: <Password for sirp_user>

    • Click Save.​

Did this answer your question?