Activate and Configure Splunk - Incident Enrichment integration

The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including the Splunk - Incident Enrichment integration.

Before you begin

Role required: admin
Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method.

Procedure

  1. Access Splunk and obtain the API Key and API ID under your profile.
  2. Navigate to Security Operations > Integration Configuration.
    The available security integrations appear as a series of cards.
    Splunk - Incident Enrichment integration card
  3. In the Splunk - Incident Enrichment card, click Install Plugin.
  4. When the activation is complete, click Close & Reload Form.
    The Security Integration screen reloads and the Configure button for the integration is available.
  5. Click Configure.
  6. Enter the Splunk API Base URL you acquired from the Splunk site.
  7. [Optional] Enter the Link URL - links to the Splunk web interface, when available.
  8. Enter your Splunk Username
  9. Enter your Splunk Password
  10. Enter the Max Rows - the maximum number of rows you want to search.
  11. Enter the Earliest Result (days) - the earliest results you want to see in number of days.
    Note: Configuring this integration activates workflows. To manage the workflows, go to the Workflow Editor.
  12. Click Submit.
    You are returned to Security Integrations screen. You are ready to use the Splunk - Incident Enrichment integration.