ZCSPM leverages Splunk APIs to push configuration metadata for either all assets with failed status or high risk assets with failed status. You can configure the Splunk integration with ZCSPM to create time sensitive alerts such as, high risk security policy failures for AWS S3 buckets with public access. Your SOC team can immediately flag such issues and take action.

The configuration metadata is pushed to Splunk whenever ZCSPM finishes a metadata scan.

To integrate Splunk with ZCSPM:

1. On the ZCSPM Admin Portal, go to Configurations > Integrations.
2. In the Splunk Integration tile, click Edit.
3. In the General Information section, enter the following information:
   1. Name: Enter the Splunk integration name.
   2. Splunk HTTP Event Collector (HEC) URL: Enter the Splunk HEC URL here. To learn more, see Splunk Documentation.
   3. Authorization Token: Enter the HEC authorization token which ZCSPM will use to push data into Splunk.
   4. (Optional) Source Type: An optional field which identifies the data structure of the HEC.
   5. (Optional) Index: An optional field which identifes the Splunk data repository.
   6. Status: Select Enable to activate the integration.
4. In the Scope section, enter the following information:
   1. Cloud Accounts: Select the cloud accounts for which ZCSPM should send configuration metadata.
   2. Scope of Assets: Select whether you want configuration metadata sent for all assets which have failed status or high risk assets with failed status.
5. Click Save.

See image.

To view the configuration metadata on Splunk:

1. On the Splunk Cloud, go to Apps > Search & Reporting.
2. You can search for the index where you set up the ZCSPM configuration metadata to be sent by entering the following command in the search bar:

index="<index name>"

See image.