Integrate Reveal(x) 360 with Splunk

This integration enables you to view network threat detections and behavioral insights from Reveal(x) 360 in Splunk.

System requirements

ExtraHop Reveal(x) 360

  • You must have Reveal(x) 360 Cloud Setup privileges.
  • Your Reveal(x) 360 system must be connected to an ExtraHop sensor with firmware version 8.7 or later.
  • Your Reveal(x) 360 system must be connected to ExtraHop Cloud Services and configured to export detections through webhooks.


Configure the integration

  1. Log in to the Reveal(x) 360 system with an account that has Cloud Setup privileges.
  2. Click the System Settings icon and then click Integrations.
  3. Click the Splunk tile.
  4. Add your Splunk credentials.

    HTTP Event Collector URL: Enter the full target URL that will receive detections from Reveal(x) 360, adhering to the following required HEC format: <protocol>://<host>:<port>/<endpoint>

    1. Specify https for the protocol.
    2. Specify /services/collector for the endpoint.

    The following example is correctly formatted:

    HTTP Event Collector Token: Enter the token value that authenticates the connection to HEC.

    Index Name: Enter the name of the index that will store detections from Reveal(x) 360 .

  5. Click Test Connection to ensure that Reveal(x) 360 can communicate with Splunk.
    Verify the test event is sent to the specified URL in Splunk.
  6. Click Connect.
  7. (Optional): Specify which detections to export to Splunk.
    1. Select the Export Reveal(x) 360 detections into Splunk checkbox.
    2. Click Add Criteria and specify one of the following criteria:
      • Site
      • Minimum Risk Score
      • Type
      • Category
      • Technique
      • Device Role
    3. Click Save.
    4. Click Add Criteria to specify additional criteria.
      The Reveal(x) 360 system exports only detections that match all specified criteria. If no criteria is specified, all new detections are exported.
  8. Click Save.
Published 2022-01-14 20:14