search
WebsiteTest DriveStatus

Splunk

circle-info

Splunk is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis.

The Dropzone platform integrates with the Splunkarrow-up-right security SIEM. Many customers ingest other alert sources into Splunk (e.g. IDPs) and integrate Dropzone into Splunk rather than the source systems.

Dropzone communicates to Splunk Enterprise using the Dropzone Connector.

There are two methods to integrate with Dropzone AI: creating a Splunk User or configuring an API token. To create an API token, follow instructions in Splunk's documentationarrow-up-right.

hashtag
Create a Splunk User

To create a Splunk user, do the following:

  • In the Home Menu of Splunk Enterprise, navigate to Settings > Users

Navigate to Users

  • Click "New User"

Click New User

  • Name the user something memorable, such as Dropzone AI, and create a password. Save them for use later in the Dropzone UI where they are called "Username" and "Password" respectively

  • In the "Assign Roles" section, assign the user the "User" role

circle-info

You may need to add capabilitiesarrow-up-right to this role depending on the level of access you want Dropzone to have. If you would like to limit the indexes Dropzone has access to, you will need to create a custom role with inherited permissions from the user role. See the Splunk documentationarrow-up-right for more information on creating custom roles.

  • If two-factor authentication is enabled, provide the Duo username

Fill out fields for New User

  • Click "Create"

Create new user

hashtag
Enable Splunk

To enable the Data Source integration, you'll need the following information:

Dropzone Field
Source

Server

The hostname or IP address of your Splunk server, e.g splunk.corp.example.net

Password

The username of the Splunk user you created earlier

Password

The password of the Splunk user you created earlier

circle-info

If you chose to create an API token instead of a Splunk user, you will need to use the API token instead.

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, navigate to Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search Splunk, then click "Configure"

The Splunk Tile

  • Input your Splunk Server and port

The Splunk Data Source Configuration (pt 1)

  • If you created a Splunk User, under "Authentication Method," select Password. If you created an API token, select Token

The Splunk Data Source Configuration (pt 2)

  • Input your authentication details

The Splunk Data Source Configuration (pt 3)

  • If you wish for Dropzone to only investigate specific indexes, click "Add Item" in the Index Allow List section. Input the list of Splunk indexesarrow-up-right you want Dropzone to investigate. Otherwise, leave blank

The Splunk Data Source Configuration (pt 4)

  • If you want to further customize Dropzone's query configuration, check the box next to "Enable" in the "Advanced: Query Configuration" section. Then input your desired index selection tips, query tips, query examples, and macroarrow-up-right configuration

The Splunk Data Source Configuration (pt 5)

  • Click "Test & Save" to finish

If you have any errors or questions, engage your Dropzone AI support representative.

PreviousShodanNextSumo Logic

Last updated

Was this helpful?