Skip to content

Splunk

You can set up Wallarm to send alerts to Splunk when the following events are triggered:

  • Hits detected except for:

  • System related: newly added users, deleted or disabled integration

  • Vulnerabilities detected

  • Scope changed: updates in hosts, services, and domains

Setting up integration

In Splunk UI:

  1. Open the SettingsAdd Data page and select Monitor.

  2. Select the HTTP Event Collector option, enter an integration name and click Next.

  3. Skip choosing the data type at the Input Settings page and continue to Review Settings.

  4. Review and Submit the settings.

  5. Copy the provided token.

In Wallarm UI:

  1. Open SettingsIntegrations tab.

  2. Click the Splunk block or click the Add integration button and choose Splunk.

  3. Enter an integration name.

  4. Paste the copied token into the HEC token field.

  5. Paste HEC URI and the port number of your Splunk instance into the HEC URI:PORT field. For example: https://hec.splunk.com:8088.

  6. Choose event types to trigger notifications. If the events are not chosen, then Splunk alerts will not be sent.

  7. Test the integration and make sure the settings are correct.

  8. Click Add integration.

Splunk integration

Wallarm Cloud IP addresses

To provide Wallarm Cloud access to your system, you may need a list of its public IP addresses. To get these addresses, request them from the Wallarm technical support team.

Note that the public IP addresses of Wallarm Cloud can change from time to time. If your experience some problems with the addresses that you currently use, request up-to-date addresses from the Wallarm technical support team.

Testing integration

Integration testing allows checking configuration correctness, availability of the Wallarm Cloud, and the notification format. To test the integration, you can use the button Test integration when creating or editing the integration.

The integration is tested as follows:

  • Test notifications with the prefix [Test message] are sent to the selected system.

  • Test integrations are sent for all events available for the selected system. If the integration card includes 3 event types, the system will receive 3 test notifications.

    If the integration card includes the event type System related, an appropriate test notification includes details on the newly added user.

  • Test notifications include test data.

Test Splunk notification in the JSON format:

{
    summary:"[Test message] [Test partner(US)] New vulnerability detected",
    description:"Notification type: vuln

                New vulnerability was detected in your system.

                ID: 
                Title: Test
                Domain: example.com
                Path: 
                Method: 
                Discovered by: 
                Parameter: 
                Type: Info
                Threat: Medium

                More details: https://us1.my.wallarm.com/object/555


                Client: TestCompany
                Cloud: US
                ",
    details:{
        client_name:"TestCompany",
        cloud:"US",
        notification_type:"vuln",
        vuln_link:"https://us1.my.wallarm.com/object/555",
        vuln:{
            domain:"example.com",
            id:null,
            method:null,
            parameter:null,
            path:null,
            title:"Test",
            discovered_by:null,
            threat:"Medium",
            type:"Info"
        }
    }
}

Updating integration

To update the settings of active integration:

  1. Go to Wallarm Console → SettingsIntegrations in the US or EU Cloud.

  2. Open an active integration.

  3. Make required changes and click Save.

Disabling integration

To stop sending reports and notifications temporarily, you can disable the integration:

  1. Go to Wallarm Console → SettingsIntegrations in the US or EU Cloud.

  2. Open an active integration and click Disable.

To re-enable sending reports and notifications, open the disabled integration and click Enable.

Disabling the integration is the system event. If you receive system notifications, messages about disabled integration will be sent to the configured system.

Deleting integration

To stop sending reports and notifications permanently, you can delete the integration. Deleting an integration cannot be undone. The integration will be removed from the list permanently.

  1. Go to Wallarm Console → SettingsIntegrations in the US or EU Cloud.

  2. Open integration and click Delete.

  3. Confirm the action.

Deleting the integration is the system event. If you receive system notifications, messages about deleted integration will be sent to the configured system.