Integrate RevealX 360 with Splunk Enterprise Security SIEM
This integration enables the Splunk Enterprise Security SIEM to export detection data from the ExtraHop system through detection notification rules. You can view exported data in the SIEM to gain insight into security threats in your environment and to accelerate response times.
To configure this integration, you will provide information to establish a connection between the SIEM and the ExtraHop system, and you will create detection notification rules that will send webhook data to the SIEM. Integrating the ExtraHop system with Splunk Enterprise Security SIEM is supported on both RevealX 360 and RevealX Enterprise.
After the connection is established and notification rules are configured, you can Install the ExtraHop RevealX App for Splunk on your Splunk SIEM. The app provides a dashboard of detection data and correlation rules that generate detection alerts in Splunk.
Before you begin
You must meet the following system requirements:
- ExtraHop RevealX 360
- Your user account must have System Administration privileges.
- Your user account must have NDR module access to create security detection notification rules.
- Your user account must have NPM module access to create performance detection notification rules.
- Your RevealX system must be connected to an ExtraHop sensor with firmware version 9.8 or later.
- Your RevealX system must be connected to ExtraHop Cloud Services.
- Splunk SIEM
- You must have Splunk Enterprise version 9.1 or later
- You must configure a Splunk Enterprise HEC connector for data ingest.
- Your SIEM must be able to receive webhook data over TCP 443 (HTTPS). You can add static source IP addresses to your security controls to allow requests from RevealX 360.
Next steps
- Navigate back to the integration configuration
page to check that your rule has been created and added to the table.
- Click Edit to modify or delete a rule.
- Install the ExtraHop RevealX App for Splunk to view a detections dashboard and alerts.
Thank you for your feedback. Can we contact you to ask follow up questions?