Splunk
Last updated
Was this helpful?
Last updated
Was this helpful?
The Dropzone AI Platform integrates with Splunk Enterprise, a SIEM tool. Dropzone can perform analysis of Splunk-generated alerts, and/or use Splunk data as part of investigation analysis. Many customers ingest other alert sources into Splunk (e.g. IDPs) and integrate Dropzone into Splunk rather than the source systems.
Dropzone communicates to Splunk Enterprise using the .
To enable Splunk, you will need to create a Splunk user.
To create a Splunk user, do the following:
In the Home Menu of Splunk Enterprise, Navigate to Settings > Users
Click on "New User"
Create a name (e.g. dropzone) and password. Save them for use later in the Dropzone UI where they are called "Username" and "Password" respectively
Assign a role to the User that will have access to the data you want Dropzone to be able to access
If two-factor authentication is enabled, provide the Duo username
Click "Create"
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Data Sources" in the top left corner
In the SIEM section, find the Splunk tile and click "Connect"
Input the Server (e.g. splunk.corp.example.net)
Input the Username and Password
Click "Test & Save"
In addition to data source integration, Dropzone can be configured to monitor and investigate specific incident types from Splunk.
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Alert Sources"
In the SIEM section, find the Splunk tile and click "Connect"
Input the Server (e.g. splunk.corp.example.net)
Input the Username and Password
Click "Test & Save"
If you have any errors or questions, engage your Dropzone AI support representative.
Under "Splunk Alert Search", you must input a Splunk search query to identify alerts to investigate
