Skip to content

Splunk

You can set up Wallarm to send alerts to Splunk when the following events are triggered:

  • Hits detected

  • System related: newly added users, deleted or disabled integration

  • Vulnerabilities detected

  • Scope changed: updates in hosts, services, and domains

Setting up integration

In Splunk UI:

  1. Open the SettingsAdd Data page and select Monitor.

  2. Select the HTTP Event Collector option, enter an integration name and click Next.

  3. Skip choosing the data type at the Input Settings page and continue to Review Settings.

  4. Review and Submit the settings.

  5. Copy the provided token.

In Wallarm UI:

  1. Open SettingsIntegrations tab.

  2. Click the Splunk block or click the Add integration button and choose Splunk.

  3. Enter an integration name.

  4. Paste the copied token into the HEC token field.

  5. Paste HEC URI and the port number of your Splunk instance into the HEC URI:PORT field. For example: https://hec.splunk.com:8088.

  6. Choose event types to trigger notifications. If the events are not chosen, then Splunk alerts will not be sent.

  7. Test the integration and ensure the settings are correct.

  8. Click Add integration.

Splunk integration

Testing integration

Integration testing allows checking configuration correctness, availability of the Wallarm Cloud, and the notification format. To test the integration, you can use the button Test integration when creating or editing the integration.

The integration is tested as follows:

  • Test notifications with the prefix [Test message] are sent to the selected system.

  • Test integrations are sent for all events available for the selected system. If the integration card includes 3 event types, the system will receive 3 test notifications.

    If the integration card includes the event type System related, an appropriate test notification includes details on the newly added user.

  • Test notifications include test data.

Test Splunk notification in the JSON format:

{
    summary:"[Test message] [Test partner(US)] New vulnerability detected",
    description:"Notification type: vuln

                New vulnerability was detected in your system.

                ID: 
                Title: Test
                Domain: example.com
                Path: 
                Method: 
                Discovered by: 
                Parameter: 
                Type: Info
                Threat: Medium

                More details: https://us1.my.wallarm.com/object/555


                Client: TestCompany
                Cloud: US
                ",
    details:{
        client_name:"TestCompany",
        cloud:"US",
        notification_type:"vuln",
        vuln_link:"https://us1.my.wallarm.com/object/555",
        vuln:{
            domain:"example.com",
            id:null,
            method:null,
            parameter:null,
            path:null,
            title:"Test",
            discovered_by:null,
            threat:"Medium",
            type:"Info"
        }
    }
}

Updating integration

To update the settings of active integration:

  1. Go to your Wallarm account → SettingsIntegrations in the EU or US cloud.

  2. Open an active integration.

  3. Make required changes and click Save.

Disabling integration

To stop sending reports and notifications temporarily, you can disable the integration:

  1. Go to your Wallarm account → SettingsIntegrations in the EU or US cloud.

  2. Open an active integration and click Disable.

To re-enable sending reports and notifications, open the disabled integration and click Enable.

Deleting integration

To stop sending reports and notifications permanently, you can delete the integration. Deleting an integration cannot be undone. The integration will be removed from the list permanently.

  1. Go to your Wallarm account → SettingsIntegrations in the EU or US cloud.

  2. Open integration and click Delete.

  3. Confirm the action.