Splunk¶
You can set up Wallarm to send alerts to Splunk when the following events are triggered:
-
Hits detected except for:
- Experimental hits detected based on the custom regular expression. Non-experimental hits trigger notifications.
- Hits not saved in the sample.
-
System related: newly added users, deleted or disabled integration
-
Vulnerabilities detected
-
Scope changed: updates in hosts, services, and domains
Setting up integration¶
In Splunk UI:
-
Open the Settings ➝ Add Data page and select Monitor.
-
Select the HTTP Event Collector option, enter an integration name and click Next.
-
Skip choosing the data type at the Input Settings page and continue to Review Settings.
-
Review and Submit the settings.
-
Copy the provided token.
In Wallarm UI:
-
Open Settings → Integrations tab.
-
Click the Splunk block or click the Add integration button and choose Splunk.
-
Enter an integration name.
-
Paste the copied token into the HEC token field.
-
Paste HEC URI and the port number of your Splunk instance into the HEC URI:PORT field. For example:
https://hec.splunk.com:8088. -
Choose event types to trigger notifications. If the events are not chosen, then Splunk alerts will not be sent.
-
Test the integration and ensure the settings are correct.
-
Click Add integration.
Testing integration¶
Integration testing allows checking configuration correctness, availability of the Wallarm Cloud, and the notification format. To test the integration, you can use the button Test integration when creating or editing the integration.
The integration is tested as follows:
-
Test notifications with the prefix
[Test message]are sent to the selected system. -
Test integrations are sent for all events available for the selected system. If the integration card includes 3 event types, the system will receive 3 test notifications.
If the integration card includes the event type System related, an appropriate test notification includes details on the newly added user.
-
Test notifications include test data.
Test Splunk notification in the JSON format:
{
summary:"[Test message] [Test partner(US)] New vulnerability detected",
description:"Notification type: vuln
New vulnerability was detected in your system.
ID:
Title: Test
Domain: example.com
Path:
Method:
Discovered by:
Parameter:
Type: Info
Threat: Medium
More details: https://us1.my.wallarm.com/object/555
Client: TestCompany
Cloud: US
",
details:{
client_name:"TestCompany",
cloud:"US",
notification_type:"vuln",
vuln_link:"https://us1.my.wallarm.com/object/555",
vuln:{
domain:"example.com",
id:null,
method:null,
parameter:null,
path:null,
title:"Test",
discovered_by:null,
threat:"Medium",
type:"Info"
}
}
}
Updating integration¶
To update the settings of active integration:
-
Go to Wallarm Console → Settings → Integrations in the EU or US Cloud.
-
Open an active integration.
-
Make required changes and click Save.
Disabling integration¶
To stop sending reports and notifications temporarily, you can disable the integration:
-
Go to Wallarm Console → Settings → Integrations in the EU or US Cloud.
-
Open an active integration and click Disable.
To re-enable sending reports and notifications, open the disabled integration and click Enable.
Disabling the integration is the system event. If you receive system notifications, messages about disabled integration will be sent to the configured system.
Deleting integration¶
To stop sending reports and notifications permanently, you can delete the integration. Deleting an integration cannot be undone. The integration will be removed from the list permanently.
-
Go to Wallarm Console → Settings → Integrations in the EU or US Cloud.
-
Open integration and click Delete.
-
Confirm the action.
Deleting the integration is the system event. If you receive system notifications, messages about deleted integration will be sent to the configured system.