Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store

Activate and Configure Splunk - Incident Enrichment integration

Log in to subscribe to topics and get notified when content changes.

Activate and Configure Splunk - Incident Enrichment integration

The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including the Splunk - Incident Enrichment integration. Before you can use the Splunk - Incident Enrichment integration, you must activate the Security Operations Splunk Integration (com.snc.secops.splunk) plugin and add the appropriate API Base URL and login credentials.

Before you begin

Role required: admin


  1. Access Splunk and obtain the API Key and API ID under your profile.
  2. Navigate to Security Operations > Integration Configuration.
    The available security integrations appear as a series of cards.
    Splunk - Incident Enrichment integration card
  3. In the Splunk - Incident Enrichment card, click Install Plugin.
  4. When the activation is complete, click Close & Reload Form.
    The Security Integration screen reloads and the Configure button for the integration is available.
  5. Click Configure.
  6. Enter the Splunk API Base URL you acquired from the Splunk site.
  7. [Optional] Enter the Link URL - links to the Splunk web interface, when available.
  8. Enter your Splunk Username
  9. Enter your Splunk Password
  10. Enter the Max Rows - the maximum number of rows you want to search.
  11. Enter the Earliest Result (days) - the earliest results you want to see in number of days.
    Note: Configuring this integration activates workflows. To manage the workflows, go to the Workflow Editor.
  12. Click Submit.
    You are returned to Security Integrations screen. You are ready to use the Splunk - Incident Enrichment integration.