HTTP Reporting Splunk

Updated on 30 Mar 2021
1 Minute to read

Print
Share
Dark

Light
PDF

Setting up Splunk as a HTTP SIEM Integration

The Process element has been updated in version 2.14 to include much more detail regarding the application). This change may impact reports and alerts. Please make the necessary updates.

Previously the Detail JSON would look something like below based on the event.

{"message":"{"fid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", "path":"/Users/peter/Downloads/system 2.log", "process":"applicaton_name_here"}"}

Starting in version 2.14, the Detail JSON looks something like below based on the event.

{"message":"{"fid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", "path":"\/Users\/username\/Pictures\/Backgrounds\/IMG_1900.JPG", "process":{"name":"dock","impname":"dock","ver":"2092.20.9","cert":{"status":"Trusted","certHash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxx","signHash":"xxxxxxxxxxxxxxxxxxxxxxxxxxx","serial":"YYYYYYYYYYYYYYYY","desc":"Dock","prod":"Dock","inner":"com.apple.dock","strong":"com.apple.dock","original":"com.apple.dock","executable":"file:\/\/\/System\/Library\/CoreServices\/Dock.app\/Contents\/MacOS\/Dock","publisher":"Software Signing","signers":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"]}}}"}

SecureCircle will output detailed server and usage logs to any SIEM or Syslog aggregator. This document will give examples on how to setup SecureCircle with Splunk, however, these general steps can be applied to any SIEM.

Configuring Splunk Data Input

In the Splunk admin UI, click Settings in the top navigation bar. Then click Data Inputs. Click HTTP Event Collector

In the upper right click on Global Settings to edit and save the global configuration. SecureCircle does not require any changes in settings from the default settings, but be sure the Enable SSL and HTTP Port Number settings are updated if needed.

Click New Token in the upper right to enter a multi-step configuration wizard.

Select Source: Enter a name for the token. All remaining settings are optional are can be left as the default value.

Input Settings:
Source Type = automatic
App context = Search & Reporting (search)
Index = select the index where incoming data will be stored. Create a new index if required.

Review:
Verify configuration and click Submit

After completing the Data Input wizard for HTTP Event Collector, a new token will be generated.

Configuring SecureCircle Output

In the SecureCircle admin UI, go to Configurations > Integratrations > SIEM on the left navigation menu. For new integrations, click Add Server.

Click HTTP and enter all the information required. Examples names, ports, and domains are used below.

Field Name	Value
Name	Splunk HTTP
Host	splunk.securecircle.com
Port	8088
Path	/services/collector
Message Pattern	{"sourcetype": "_json", "host": "splunk.securecircle.com", "event": %s}
Header Information
Content-Type	application/json
Authorization	Splunk b7ae6510-977e-46d7-876f-d1ce9fee1f75

For the Authorization Header use 'Splunk (token created in the earlier step)'

When completed the Splunk HTTP entry will show in your SIEM integration list.

Was this article helpful?

What's Next

Splunk Sample Template

Table of contents

Setting up Splunk as a HTTP SIEM Integration
Configuring Splunk Data Input
Configuring SecureCircle Output

SecureCircle delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. At SecureCircle, we believe frictionless data security drives business value for our customers. Instead of relying on complex reactive measures, we simply secure data persistently in transit, at rest, and even in use. End users operate without obstacles, while data is continuously secured against breaches and insider threats.

Company

Collateral