Configure Splunk Alerts

Tenable Cloud Security can integrate with Splunk Cloud Platform to manage your incident logs. You must configure the HTTP Event Collector (HEC) in Splunk for Tenable Cloud Security that lets you send notifications over the HTTP and Secure HTTP (HTTPS) protocols using a token-based authentication model.

For more information about the HEC, see Set up and use HTTP Event Collector in Splunk Web.

For each incident, Tenable Cloud Security sends the following information to Splunk:

  • category

  • severity

  • title

  • resource

  • firstDetection

  • Date

  • guideline

  • violationId

For example,

{"message":{"violationId":"ACS_AWS_S3_15","resource":"arn:aws:s3:::scanners-acs--809694787632","firstDetectionDate":"2020-05-19T11:53:40.573Z","title":"Ensure all data is transported from the S3 bucket securely","category":"S3","guideline":"<<Tenable Cloud Security guidlines>>"},"severity":"HIGH"}

Step 1: Splunk Configuration

To configure the integration in Splunk:

  1. Access the Splunk platform.

  2. Click Settings > Data Inputs.

    The Data inputs page appears.

  3. In the HTTP Event Collector type, click +Add new in the Actions column.

    Complete the steps in the Add Data wizard:

    1. In the Select Source page, type a name for the token in the Name box.

    2. Click Next.

      The Input Settings page appears.

    3. In the Source type section, click Select and then select _json from the Select Source Type drop-down box.

    4. In the Index section, select Default from the Default Index drop-down box.

    5. Click Review.

      Review the information provided for the Splunk configuration.

    6. Click Submit.

      A confirmation message with the token value appears.

Step 2: Tenable Cloud Security Configuration

  1. Access Tenable Cloud Security.

  2. In the left navigation bar of the Tenable Cloud Security page, click Home.

  3. In the left navigation bar of the Tenable Cloud Security page, click Home.

  4. Click the Projects & Connections tab.

  5. In the projects list, click the project for which you want to configure Microsoft Teams.

    The project details panel appears.

  6. In the Alerts section, click .

    The Project alerts page appears.

  7. In the Choose alert channels section, select the check box for the Splunk channel and click Select to setup.

    The Configure Splunk HTTP Event Collector (HEC) page appears.

  8. From the Project drop-down list, select the project for which you want to manage your incident logs.

  9. Provide values for the following fields to configure Splunk:

    • Splunk HEC URL: The standard form for the HEC URI in Splunk Cloud Platform is as follows:

      <protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>

      Where:

      • <protocol> is either http or https.

      • <host> is the Splunk instance that runs HEC.

      • <port> is the HEC port number, which is 8088 by default, but you can change it in the HEC Global Settings.

      • <endpoint> is the HEC endpoint you want to use. Use the /services/collector/event endpoint for JSON-formatted events.

    • Splunk HEC Token: Enter the Splunk token obtained during Configuration in Splunk.

    • Event Source Type: Type _json.

  10. Select the Verify SSL check box to enable the SSL verification.

  11. Select Enable Alert check box to enable the alerts for violations.

  12. Select the required check boxes for the type (severity) of the violations that you want to report.

  13. Click Submit.

    The Project alerts page appears.

  14. Click Save.