Integrate with Splunk

You can configure Sqreen to send information about security events and incidents to Splunk Enterprise or Splunk Cloud.

  1. Use the Splunk Enterprise or Splunk Cloud documentation to enable the HTTP Event Collector and create an Event Collector token.
  2. In the Sqreen Dashboard, navigate to your Settings > Integrations.
  3. In the Webhook pane, enter the following values in the fields:
    • URL: the destination in Splunk to which you want to send Sqreen security events (see Splunk Enterprise and Splunk Cloud documentation for details)
    • Secret: the Event Collector token you created in your Splunk Enterprise or Splunk Cloud instance
  4. Test, then Save the configuration.
  5. Navigate to your Protection modules to select a particular protection and adjust its settings to send data to the webhook pointing at Splunk. For example, navigate to Configuration > Runtime Application Self-Protection > Shell Injection. Use the interface to adjust the settings.
  6. If you use Security Automation Playbooks in Sqreen, navigate to Playbooks in your Sqreen Dashboard to create a new playbook and set the notification to send data to Splunk via the webhook.
  7. In your Splunk UI, customize your dashboards using Sqreen messages.

Data Sqreen sends to Splunk

The body of each request Sqreen sends to Splunk is encoded in JSON, as indicated by the content-type application/json with UTF-8 encoding (as per RFC 4627).

In each call to the URL you specified, Sqreen sends an array of payloads. Review the payload contents and structure in the Sqreen Webhooks documentation.