Website Test Drive

Splunk

This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Splunk.

The Dropzone AI Platform integrates with Splunk Enterprise, a SIEM tool. Dropzone can perform analysis of Splunk-generated alerts, and/or use Splunk data as part of investigation analysis. Many customers ingest other alert sources into Splunk (e.g. IDPs) and integrate Dropzone into Splunk rather than the source systems.

Dropzone communicates to Splunk Enterprise using the Dropzone Connector.

Create a Splunk User

To enable Splunk, you will need to create a Splunk user.

To create a Splunk user, do the following:

  • In the Home Menu of Splunk Enterprise, Navigate to Settings > Users

Navigate to Users

  • Click on "New User"

Click on New User

  • Create a name (e.g. dropzone) and password. Save them for use later in the Dropzone UI where they are called "Username" and "Password" respectively

  • Assign a role to the User that will have access to the data you want Dropzone to be able to access

  • If two-factor authentication is enabled, provide the Duo username

  • Click "Create"

Fill out fields for New User

Enable the Dropzone Data Source Integration

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

Integrations Dropdown

  • Click "Data Sources" in the top left corner

Select the "Data Sources" button

  • In the SIEM section, find the Splunk tile and click "Connect"

The Splunk Data Source Tile

  • Input the Server (e.g. splunk.corp.example.net)

  • Input the Username and Password

  • Click "Test & Save"

The Splunk Data Source Configuration

Enable the Dropzone Alert Source Integration

In addition to data source integration, Dropzone can be configured to monitor and investigate specific incident types from Splunk.

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

Integrations Dropdown

  • Click "Alert Sources"

Select the "Alert Sources" button

  • In the SIEM section, find the Splunk tile and click "Connect"

The Splunk Alert Source Tile

  • Input the Server (e.g. splunk.corp.example.net)

  • Input the Username and Password

  • Under "Splunk Alert Search", you must input a Splunk SPL search query to identify alerts to investigate

The Splunk Alert Source Configuration

  • Click "Test & Save"

If you have any errors or questions, engage your Dropzone AI support representative.

PreviousSentinelOneNextSumo Logic

Last updated