Splunk

This integration allows you to route notifications about issues, changes, and other events to your Splunk instance based on your configuration, enabling unified security monitoring across your environment.

Splunk Setup

Before configuring the integration in Halo Security, you'll need to set up an HTTP Event Collector in Splunk:

1. In your Splunk instance, navigate to Settings > Data inputs > HTTP Event Collector > Add New

2. Enter a name for your data input (e.g., "Halo Security")

3. Select the allowed indexes where data will be stored (e.g., "main")

4. After creating the HTTP Event Collector, make note of the:

   1. Token Value that is generated

   2. Splunk server hostname

   3. HTTP Event Collector port (default: 8088)

Connect Splunk

1. Visit your Account > Integrations >

2. Add the Splunk integration

3. Enter a name for the integration

4. Click Save

5. Add the following infromation from the Splunk HTTP Event Collector you set up:

   1. Splunk Server

   2. Splunk Server Host

   3. Splunk Server Port

6. Click Save Changes

Create Profiles

After connecting Splunk, you can create profiles to control how data is sent to your Splunk instance. Each profile specifies configuration details for the Splunk connection. To create a profile:

1. Navigate to the Profiles tab

2. Click the + icon

3. Enter a name for the profile

4. Configure the following settings:

   • Profile Name: A name for the profile.

   • Splunk Index: The Splunk index where events will be stored (must match an allowed index from Splunk setup)

5. Click Save

You can create multiple profiles to route different types of events to different Splunk indexes.

Create Event Rules

To send data to Splunk, create Event Rules and add your Splunk profile as an action. Visit Events > Event Rules to set up rules that determine which events are sent to Splunk.

Learn more about configuring Event Rules at:

Using the Integration

Once configured, events matching your criteria will automatically be sent to your Splunk instance. You can search for these events in Splunk using queries like:

index=main source="http:Halo Security"

index=main source="http:Halo Security" custom_details.key="issue-add"