Beyond Identity Secure Work Events Data Integration with Splunk Cloud and Enterprise

  • Published on Nov 4, 2025
  • 3 minute(s) read
  • EA
 Prev Next

Overview

This guide provides step-by-step instructions for integrating event data from the Secure Work platform into Splunk Cloud and Splunk Enterprise. The integration allows security teams and administrators to centralize logs, visualize activity, and generate alerts within Splunk, enhancing visibility into events generated by Secure Work.

By following this guide, you will learn how to:

  • Configure the Secure Work platform to send event data.

  • Connect and authenticate with Splunk Cloud or Splunk Enterprise.

  • Verify that data is flowing into Splunk.

This integration ensures that your organization can leverage Splunk’s powerful analytics and monitoring capabilities alongside Secure Work’s event data for improved incident detection, investigation, and response.

Prerequisites

Before beginning the integration, ensure you have the following:

  • Configured Secure Work tenant
    You must have an active and properly configured Beyond Identity Secure Work tenant. This includes access to the Secure Work Admin Console with permissions to generate API keys or configure event forwarding.

  • Admin-level Splunk Cloud account
    An account in Splunk Cloud or Splunk Enterprise with administrative privileges is required. This ensures you can create data inputs, configure authentication tokens, and manage indexes where Secure Work event data will be stored.

  • Network and connectivity requirements
    Verify that outbound connections from Secure Work to Splunk Cloud/Enterprise are not restricted by your organization’s firewall or proxy settings.

Steps

Creating an HTTP Event Collector

1. Access your Splunk Cloud or Enterprise admin console and login as a user with administrative privileges.

1.png

2. On the top navigation menu, click Settings.

2.png

3. Next, from the Settings drop-down menu, click Data inputs.

3.png

4. In the Data inputs section, look for the HTTP Event Collector type, and under Actions, click +Add new.

4.png

5. To configure a new token for receiving data over HTTP, provide a Name.

5.png

6. Leave all the other fields blank, then click Next.

6.png

7. In the Input Settings page's Index section, click add all.

7.png

8. Click the Default Index drop-down and select main. When you are finished, click Review.

8.png

9. Review the configuration details, then click Submit.

9.png

10. If the token is created successfully, copy its value and store it in a secure location. You will need this token in later steps.

10.png

Beyond Identity Console Configuration

11. Log in to your Beyond Identity Secure Work tenant.

12. On the left-hand navigation menu, click Integrations.

11.png

13. Next, click the SIEM tab.

12.png

14. Then, click Add SIEM Integration.

13.png

15. In the dialog window, select Splunk as the SIEM Provider.

14.png

16. Enter the following details:

  • Name – Provide a descriptive name for the integration. You can choose any value that helps you identify this configuration later.

  • HEC Token – Paste the token you copied from the Splunk console (see Step 10).

  • HEC Host – Enter the URL of your Splunk instance. Do not include the https:// prefix.

  • HEC Port - Enter 8088.

    Note: This port should be open for SSL traffic in the firewall for Beyond Identity event integration to work correctly.

  • Events - Select the event types that you want to receive in Splunk.

  • Threat Signals - Select the threat signals that you want to receive in Splunk.

  • Status - Toggle to ACTIVE.

15.png

17. After entering all required information, click Test Configuration to verify that the integration is working correctly.

16.png

18. A confirmation banner will appear stating, Your configuration is valid. This indicates that Secure Work can successfully send event data to your Splunk account.

17.png

19. Next, click Save Changes.

18.png

Verify Events in Splunk Cloud

After completing the configuration, you can verify that Secure Work events are flowing into Splunk Cloud. Events should begin appearing within a few minutes.

  1. Log in to your Splunk Cloud instance.

  2. Run a search query similar to the following:

    index="main" source="BI_events_http" actor.tenant_id="TENANT_CONFIGURED"

  • Replace source with the source name you defined during the integration.

  • Replace actor.tenant_id with the tenant ID configured in your Secure Work environment.

If the integration is successful, you should see events returned in the search results.

Appendix

If you are a developer, refer to the Beyond Identity Developer API Guide to learn how to retrieve event types programmatically.

You can access the documentation here:

https://developer.beyondidentity.com/api/v0#tag/Events/operation/getEvents


Related articles