Splunk

Splunk is a very common and powerful SIEM that is used by many companies. Multicloud Defense supports Log Forwarding to Splunk to send Security Events and Traffic Log information for processing, storage, access and correlation. The information sent is in a semi-structured JSON format where the attribute-value pairs can be accessed and processed.

Requirements

In order to forward logs to Splunk, the following information is required:

  • Splunk account

  • Splunk Collector URL

  • Event Collector Key

  • Index Name

Tip

For information on the Splunk Event Collector, refer to Splunk HTTP Event Collector (https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/UsetheHTTPEventCollector).

Profile Parameters

Parameter

Requirement

Default

Description

Profile Name

Required

A unique name to use to reference the Profile.

Description

Optional

A description for the Profile.

Destination

Required

Datadog

The SIEM used for the Profile.

Skip Verify Certificate

Optional

Unchecked

Whether to skip verifying the authenticity of the certificate.

Endpoint

Required

The URL used to access the HTTP Event Collector.

Token

Required

The Splunk Token to allow Multicloud Defense to communicate with Splunk.

Index

Required

main

The name of the Splunk index used to store events.