Splunk Integration

Integration of AIR with Splunk is possible via a feature called "Post Actions".

• When Splunk generates an alert for an incident, it sends a JSON payload to the URL provided in Workflow Actions,

• The payload that is POSTed contains important information about the alert such as the Host Name, IP Address, and other alert specific details,

• Upon receiving this JSON data, AIR parses the payload and extracts IP address or Hostname from it, and automatically assigns an acquisition task to the endpoint in question. The acquisition profile that will be used for this task is provided when you create a trigger.

Steps to Integrate

• Visit the Triggers page in Binalyze AIR

• Click the "+ New Trigger" button on the upper right corner

• Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, and etc.)

• Select "Splunk: Generic Splunk Webhook Parser" as the parser for this trigger

• Select an Acquisition Profile that will be used when this trigger is activated by Splunk

• Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint)

• Provide other settings such as Compression, Encryption, Evidence Repository to use or let AIR configure them automatically based on the matching policy

• Click the "Save" button

• Hover your mouse over the link below the Trigger name and click to copy (see below)

• Head over to Splunk and create a POST Workflow Action for your workflow

  • Provide the Trigger URL you have copied above as the URI to the newly created Workflow Action,

  • Make sure you have provided the Host Name or IP Address in Post Arguments

• At this point, whenever Splunk generates an alert for an endpoint, the information will be sent to AIR for it to automatically assign an acquisition task to the endpoint in question.