icon-itdr.svg
ITDR

SIEM Configuration Guide for Splunk Enterprise and Cloud Platform

This article provides information on prerequisites and how to configure a Service Connector to forward events or audit logs to the Splunk security information and event management (SIEM) solution.

Prerequisites

Make sure the following prerequisites are met:

  • Have network connectivity between the Service Connector and the Splunk server on TCP port. The default port is 8088.
  • Use HTTP or HTTPS protocol depending on the Splunk SIEM configuration.

Configuring a Service Connector to Forward Events to Splunk Enterprise and Cloud Platform

Follow these steps to forward events to Splunk Enterprise and Cloud Platform:

    1. Log in to a Splunk instance.
    2. Go to Settings > Data Inputs > HTTP Event Collector.

    3. Click Global Settings.

    4. In the Edit Global Settings window:

      • All Tokens: Select Enabled.
      • Default Source Type: Select _ json from the drop-down menu.
      • Select the Enable SSL checkbox.

    5. Click Save.

    6. On the HTTP Event Collector page, click New Token.

    7. In the Add Data wizard:
      1. On the Select Source page:

        1. Enter a Name for the new token.

        2. Click Next.
      2. On the Input Settings page:

        1. Select _ json from the Select Source Type drop-down menu.

        2. Click Review.

      3. On the Review page, verify the configuration and click Submit.

        The API token ID is generated.

      4. Copy the token ID.
    Close
    1. In the Zscaler ITDR Admin Portal, go to Orchestrate > SIEM Integrations.

    2. Click Add Integration, and select Splunk from the drop-down menu.

    3. In the Splunk Details window:
      • Name: Enter a name for the Splunk SIEM integration.
      • Enabled: Select to enable SIEM integration.
      • Service Connector: Select a Service Connector from the drop-down menu. If you select a Service Connector that is configured in the ITDR Admin Portal, the portal forwards the logs to Splunk.
      • Type of logs: Select an option from the drop-down menu.
        • Events: Forward events to Splunk.
        • Audit logs: Forward audit logs to Splunk.
      • Include Safe Events: Enable to forward the events that are marked as safe to Splunk.

      • Filter: Enter queries if you want to filter the logs before forwarding them to Splunk. If this field is blank, all logs are forwarded to Splunk.

        The Filter option is available only for event logs.

      • Host: Enter the IP address or FQDN of the Splunk server or cloud platform URL.

        For the Splunk cloud platform, add http-input- to the beginning of the URL. For example, if the URL is <Splunk instance>.splunkcloud.com, enter http-input-<Splunk instance>.splunkcloud.com.

      • Port: Enter 8088.
      • Data Source: Enter a log identifier. You can use this identifier to filter logs in Splunk.
      • Key: Enter the token ID that you generated.
      • Strict SSL: If enabled, the SSL certificate on the Splunk server is validated by a list of public certificate authorities. If disabled, then the SSL certificate verification is disabled.

      • Use Proxy Settings (if available): Enable if you want to use proxy settings on the Service Connector, if available. This can be useful for Splunk cloud instances.

    4. Click Save.

      The Splunk SIEM integration entry is added.

    To test the Splunk SIEM integration, generate events on the Investigate page. You can see the forwarded logs on the Splunk instance.

    Close
Related Articles
About Service ConnectorsAbout SIEM IntegrationsConfiguring a Service ConnectorSIEM Configuration Guide for ArcSight Enterprise Security ManagerSIEM Configuration Guide for IBM QRadarSIEM Configuration Guide for Microsoft SentinelSIEM Configuration Guide for Netmonastery DNIFSIEM Configuration Guide for Splunk Enterprise and Cloud PlatformSIEM Configuration Guide for SyslogSIEM Configuration Guide for Sumo LogicEditing or Deleting a Service ConnectorEditing or Deleting a SIEM Integration