Versions Compared

Old Version 4

changes.mady.by.user Alban (Unlicensed)

Saved on

compared with

New Version 5

changes.mady.by.user Alban (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Data Theorem now supports integration with a customer's Splunk SIEM infrastructure. Data Theorem's API, Web and Cloud Secure products can send events to Splunk using Splunk's HTTP Event Collector (HEC). For more information on Splunk's HEC, see Splunk's documentation here.

...

  • When an API Secure policy violation was opened.

  • When an API Secure policy violation was resolved, or closed as "won't fix“.

Configuring Splunk ES to receive events from Data Theorem

Step 1: Enabling HTTP Event Collector (HEC)

HEC must be enabled in your Splunk deployment to receive events from Data Theorem. Splunk functionality varies based on Splunk software type, so please follow the directions below for your Splunk deployment:

- Configure HTTP Event Collector on Splunk Enterprise

- Configure HTTP Event Collector on self-service Splunk Cloud

- Configure HTTP Event Collector on managed Splunk Cloud

Step 2: Create an new index for HEC events from DT

  1. Click Settings > Indexes

  2. Click New Index

  3. Configure Your Index

...

Searchable time: Use a value that makes sense for your deployment. This example uses 7

Step 3: Create an HEC Token

  1. Click Settings > Data Inputs

  2. Click HTTP Event Collector > Actions > +Add New

Add New HEC Token Page 1 of 4

...

 

Name: Whatever you want

Source name override: Blank

Enable indexer acknowledgment: Must be unchecked

Add New HEC Token Page 2 of 4

...

 

Source type: Automatic

App context: Search and Reporting

Select Allowed Indexes: Select the index you created earlier. This example uses “dtevents”

Add New HEC Token Page 3 of 4

...

Confirm your settings and click Submit

Add New HEC Token Page 4 of 4

...

 

Please contact Data Theorem support with your Splunk HEC Token Value to complete the integration.

Step 4: Validate Splunk configuration by sending a test event

Determine Your Splunk HEC URL

How to find your HEC URL

Send A Test Event

Code Block
    curl -k "https://<your splunk server HEC URL>" \
    -H "Authorization: Splunk <your splunk token from previous step>" \
    -d '{"event": "Hello, world!", "sourcetype": "manual"}'

...

Code Block
{"text":"Success","code":0}

Step 5: Send Splunk information to Data Theorem

Email to support@datatheorem.com the following information:

...

Data Theorem will then enable the integration, and will start sending events to your Splunk instance.

Viewing Data Theorem Events In Splunk

To view Data Theorem events in Splunk perform a search query with index=”dtevents”

Example Search Results

...

 

Example Event Detail View

...

 

 

References

Data Theorem Event Message Schema

Data Theorem Splunk Dashboard Example

Splunk HEC Documentation

Splunk HEC Examples