Integrating Invicti Enterprise with Splunk
Splunk is a Security Information and Event Management (SIEM) software that is used to read and store machine-generated data.
Splunk aims to collect data like operating system logs, antivirus events, etc in a single central location to generate graphs, reports, and alerts. Integrating with Splunk helps you to increase information security so that you can collect identified issues or vulnerabilities.
This article explains how to integrate Splunk with Invicti Enterprise.
There are four stages:
- How to Install Splunk
- How to Configure Add-on Settings
- How to Configure Input
- How to Search Vulnerabilities
There are two add-ons for Splunk. Download the add-on based on your Splunk configuration.
How to install the add-on for Splunk Enterprise
- First, locate the Invicti Enterprise add-on in Splunkbase: https://splunkbase.splunk.com/app/4825/.
- Follow these instructions to install the add-on: About installing Splunk add-ons.
- Once the Invicti Enterprise add-on is installed, it should be configured to collect issues from the Invicti Enterprise API (see How to Configure Add-on Settings). The add-on can collect data from both On-demand and On-premise editions of Invicti Enterprise.
How to install the add-on for Splunk Cloud
- First, locate the Invicti Enterprise add-on For Splunk Cloud in Splunkbase: https://splunkbase.splunk.com/app/5511/.
- Follow these instructions to install the add-on: Install an add-on in Splunk Cloud.
- Once the Invicti Enterprise add-on is installed, it should be configured to collect issues from the Invicti Enterprise API (see How to Configure Add-on Settings). The add-on can collect data from both On-demand and On-premise editions of Invicti Enterprise.
The following instructions are valid for both add-ons.
How to configure Add-on settings
Add-on settings must be configured in order to authenticate the API.
- In Splunk, navigate to Invicti Enterprise Add-On, then Configuration.
- Select the Add-on Settings tab.
- Complete the Base URL, User ID, and Token fields. (The Base URL is the Invicti Enterprise URL.)
User ID and Token values can be found at API Settings.
- Select Save.
How to configure input
- In Splunk, navigate to the Invicti Enterprise Add-On, then Inputs.
- To edit an existing Input, in the Actions column, click the Action dropdown, then the Edit link. (Alternatively, to create a new Input, select Create New Input.) The Update Vulnerability dialog is displayed.
- The Date Format should be equal to the value defined on the Change Account Settings page in Invicti Enterprise.
- In Splunk, the Website Group and Website fields are optional. (These values can be found on the Website Groups page in Invicti Enterprise.)
- Select Update (or Add).
How to search for vulnerabilities
Once the Add-on Settings and Input have been configured, Splunk starts to import data from the Invicti Enterprise API.
- In Splunk, navigate to the Invicti Enterprise Add-on, then select the Search tab to view the imported data.
- Select Data Summary. The Data Summary dialog is displayed.
- Select the Hosts, Sources, or SourceTypes tab to display issues.