This integration enables you to view network threat detections and behavioral insights from Reveal(x) 360 in Splunk.
- Webhook targets must be open to external traffic. Reveal(x) 360 systems cannot send detections to targets on your internal network.
- Webhook targets must have a certificate signed by a certificate authority (CA) from the Mozilla CA Certificate Program. See https://wiki.mozilla.org/CA/Included_Certificates for certificates from trusted public CAs.
- You must enable HTTP Event Collector (HEC) on Splunk Enterprise, specify a storage index, and create a HEC token.
- Log in to the Reveal(x) 360 system with an account that has Cloud Setup privileges.
- Click the System Settings icon and then click Integrations.
- Click the Splunk tile.
Add your Splunk credentials.
HTTP Event Collector URL: Enter the full target URL that will receive detections from Reveal(x) 360, adhering to the following required HEC format: <protocol>://<host>:<port>/<endpoint>
- Specify https for the protocol.
- Specify /services/collector for the endpoint.
The following example is correctly formatted: https://mysql1.seaprod.example.com:3306/services/collector
HTTP Event Collector Token: Enter the token value that authenticates the connection to HEC.
Index Name: Enter the name of the index that will store detections from Reveal(x) 360 .
Click Test Connection to ensure that Reveal(x) 360 can
communicate with Splunk.
Verify the test event is sent to the specified URL in Splunk.
- Click Connect.
Specify which detections to export to Splunk.
- Select the Export Reveal(x) 360 detections into Splunk checkbox.
Click Add Criteria and specify one of the
- Minimum Risk Score
- Device Role
- Click Save.
Click Add Criteria to specify additional
The Reveal(x) 360 system exports only detections that match all specified criteria. If no criteria is specified, all new detections are exported.
- Click Save.