Splunk

This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Splunk.

The Dropzone AI Platform integrates with Splunk Enterprise, a SIEM tool. Dropzone can perform analysis of Splunk-generated alerts, and/or use Splunk data as part of investigation analysis. Many customers ingest other alert sources into Splunk (e.g. IDPs) and integrate Dropzone into Splunk rather than the source systems.

Dropzone communicates to Splunk Enterprise using the Dropzone Connector.

Create a Splunk User

To enable Splunk, you will need to create a Splunk user.

To create a Splunk user, do the following:

  • In the Home Menu of Splunk Enterprise, Navigate to Settings > Users

  • Click on "New User"

  • Create a name (e.g. dropzone) and password. Save them for use later in the Dropzone UI where they are called "Username" and "Password" respectively

  • Assign a role to the User that will have access to the data you want Dropzone to be able to access

  • If two-factor authentication is enabled, provide the Duo username

  • Click "Create"

Enable the Dropzone Data Source Integration

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Data Sources" in the top left corner

  • In the SIEM section, find the Splunk tile and click "Connect"

  • Input the Server (e.g. splunk.corp.example.net)

  • Input the Username and Password

  • Click "Test & Save"

Enable the Dropzone Alert Source Integration

In addition to data source integration, Dropzone can be configured to monitor and investigate specific incident types from Splunk.

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Alert Sources"

  • In the SIEM section, find the Splunk tile and click "Connect"

  • Input the Server (e.g. splunk.corp.example.net)

  • Input the Username and Password

  • Under "Splunk Alert Search", you must input a Splunk SPL search query to identify alerts to investigate

  • Click "Test & Save"

If you have any errors or questions, engage your Dropzone AI support representative.

Last updated