Splunk Integration

Integration of AIR with Splunk is possible via a feature called "Post Actions".

• When Splunk generates an alert for an incident, it sends a JSON payload to the URL provided in Workflow Actions.

• The payload that is POSTed contains essential information about the alert, such as the Host Name, IP Address, and other alert-specific details.

• Upon receiving this JSON data, AIR parses the payload and extracts the IP address or Hostname from it, and automatically assigns an acquisition task to the endpoint in question. The acquisition profile that will be used for this task is provided when you create a trigger.

Steps to Integrate

• Visit the Triggers page in AIR

• Click the "+ New Trigger" button in the upper right corner

• Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc)

• Select "Splunk: Generic Splunk Webhook Parser" as the parser for this trigger.

• Select an Acquisition Profile that will be used when Splunk activates this trigger

• Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint)

• Provide additional settings, such as Compression, Encryption, and Evidence Repository, to use or let the AIR configure them automatically based on the matching policy.

• Click the "Save" button.

• Hover your mouse over the link below the Trigger name and click to copy (see below)

• Head over to Splunk and create a POST Workflow Action for your workflow

  • Provide the Trigger URL you have copied above as the URI to the newly created Workflow Action,

  • Make sure you have provided the Host Name or IP Address in Post Arguments

• At this point, whenever Splunk generates an alert for an endpoint, the information will be sent to AIR for it to assign an acquisition task to the endpoint in question automatically.