Overview
The integration of Traceable AI with Splunk allows seamless forwarding of security events and notifications to Splunk for real-time monitoring. This setup helps consolidate alert data from Traceable into Splunk, enabling your operations and security teams to quickly detect, investigate, and respond to threats such as SQL Injection, Remote Code Execution, or Authorization Bypass.
Using Splunk’s HTTP Event Collector (HEC), you can send notifications over HTTP/HTTPS, ensuring that Traceable events are available for further analysis in Splunk’s dashboards.
Before You Begin
Make sure you have the following before starting the integration process:
- HTTP Event Collector (HEC) URL: If you need to create one, follow the steps in Splunk’s documentation: Set up HEC on Splunk Web.
- API Token for HEC: Generate an API token by following these instructions: Manage API Tokens in Splunk.
Step-by-Step Integration Process
1. Configure HEC in Splunk
- Log in to your Splunk instance.
- Navigate to Settings → Data Inputs → HTTP Event Collector (HEC).
- Create a new HEC token and provide:
- Token name (for easy identification)
- (Optional) Source name override
- Specify the index where Traceable events will be stored.
- Click Submit and copy the generated token for use in the next step.
2. Connect Splunk HEC to Traceable
- Log into Traceable and go to:
- Integrations → SIEM/SOAR → Splunk
Provide the following:
HEC URL - (e.g., https://<your-splunk-server>:8088/services/collector)
HEC_API_TOKEN (copied from Splunk) - Traceable will validate the connection. If successful, the Save button will be enabled.
Creating Notifications in Traceable
1. Go to Settings → Configuration → Notifications in Traceable.
2. Click Create Channel and provide the relevant details for a new Splunk notification channel.
3. After creating the channel, configure a notification rule to determine which events (e.g., SQL Injection, Remote Code Execution) will be forwarded to Splunk.
4. Choose the frequency of notifications (e.g., hourly or daily).
Testing the Integration
To ensure everything is set up correctly, send a test event to Splunk using the following command:
curl "https://<your-splunk-server>:8088/services/collector" \
-H "Authorization: Splunk <your-token>" \
-d '{"event": "Test Event from Traceable", "sourcetype": "traceable"}'
Troubleshooting Tips
- Validation Failed? Ensure the HEC URL and API token are correct, and the token has not expired.
- No Events in Splunk? Double-check the index configuration and ensure that the HEC endpoint is active.
Additional Resources
Traceable Splunk Integration Documentation
This guide helps ensure a smooth integration between Traceable AI and Splunk using HEC. If you encounter issues during the setup process, feel free to contact Traceable Support at support@traceable.ai.