Splunk¶
You can set up Wallarm to send alerts to Splunk when the following events are triggered:
-
Hits detected
-
System related: newly added users, deleted or disabled integration
-
Vulnerabilities detected
-
Scope changed: updates in hosts, services, and domains
Setting up integration¶
In Splunk UI:
-
Open the Settings ➝ Add Data page and select Monitor.
-
Select the HTTP Event Collector option, enter an integration name and click Next.
-
Skip choosing the data type at the Input Settings page and continue to Review Settings.
-
Review and Submit the settings.
-
Copy the provided token.
In Wallarm UI:
-
Open Settings → Integrations tab.
-
Click the Splunk block or click the Add integration button and choose Splunk.
-
Enter an integration name.
-
Paste the copied token into the HEC token field.
-
Paste HEC URI and the port number of your Splunk instance into the HEC URI:PORT field. For example:
https://hec.splunk.com:8088
. -
Choose event types to trigger notifications. If the events are not chosen, then Splunk alerts will not be sent.
-
Click Add integration.
Updating integration¶
To update the settings of active integration:
-
Go to your Wallarm account → Settings → Integrations in the EU or US cloud.
-
Open an active integration.
-
Make required changes and click Save.
Disabling integration¶
To stop sending reports and notifications temporarily, you can disable the integration:
-
Go to your Wallarm account → Settings → Integrations in the EU or US cloud.
-
Open an active integration and click Disable.
To re-enable sending reports and notifications, open the disabled integration and click Enable.
Deleting integration¶
To stop sending reports and notifications permanently, you can delete the integration. Deleting an integration cannot be undone. The integration will be removed from the list permanently.