Splunk Integration
Last updated
Was this helpful?
Last updated
Was this helpful?
Integration of AIR with Splunk is possible via a feature called "".
When Splunk generates an alert for an incident, it sends a JSON payload to the URL provided in Workflow Actions,
The payload that is POSTed contains important information about the alert such as the Host Name, IP Address, and other alert specific details,
Upon receiving this JSON data, AIR parses the payload and extracts IP address or Hostname from it, and automatically assigns an acquisition task to the endpoint in question. The acquisition profile that will be used for this task is provided when you create a trigger.
Visit the Triggers page in Binalyze AIR
Click the "+ New Trigger" button on the upper right corner
Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, and etc.)
Select "Splunk: Generic Splunk Webhook Parser" as the parser for this trigger
Select an Acquisition Profile that will be used when this trigger is activated by Splunk
Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint)
Provide other settings such as Compression, Encryption, Evidence Repository to use or let AIR configure them automatically based on the matching policy
Click the "Save" button
Hover your mouse over the link below the Trigger name and click to copy (see below)
Head over to Splunk and create a for your workflow
Provide the Trigger URL you have copied above as the URI
to the newly created Workflow Action,
Make sure you have provided the Host Name or IP Address in Post Arguments
At this point, whenever Splunk generates an alert for an endpoint, the information will be sent to AIR for it to automatically assign an acquisition task to the endpoint in question.