Introduction
-
About
This guide provides instructions on how to:
- Integrate BI events data with Splunk Cloud
-
Prerequisites
Ensure that you have the following:
- You have a tenant configured for your organization and able to enroll users.
-
Splunk Cloud configuration
- Create a HTTP Event Collector
- Open HTTP Event Collector port
-
Create a HTTP Event Collector
Access your Splunk Cloud admin console and login as a user with administrative privileges. In the dashboard, click “Settings”
In the drop-down options, click “Data inputs”, In “Data inputs” screen, click “Add new” to the right of “HTTP Event Collector”
Type in a name for the HTTP Event Collector, for example “BI_events_http” and add a relevant description. Leave other fields to the default values. Click “Next”
Click “add all” next to “Available items” . This should populate “Selected item(s). In the “Default Index” drop down choose “main” and then click “Review”
Review the settings and click “Submit”
You will see “Token has been created successfully”. Copy the token value and provide it to BI SME.
Click “Next”
You should see the newly created HTTP Event Collector
-
Configure HTTP Event Collector with SSL certificate
With Splunk cloud trial account, it is not possible to change the SSL certificate.
-
Open HTTP Event Collector port
Splunk Cloud HTTP Event collector listens on port 8088 by default . This port should be open for SSL traffic in the firewall for BI event integration to work.
-
Beyond Identity Configuration
The configuration is done using the BI admin console. Access BI admin console through your SSO integration. Click on “Integrations” and click on “SIEM”
Click the “+” sign next to Splunk. Type in a name, and with the data from section 3.1, fill in the values for HEC Token, HEC Host and HEC Port. From the events drop down, “select all” events or one the events you are interested in.
-
Verify events flowing to Splunk Cloud
You can verify with a search in Splunk Cloud inn few minutes after configuration, for example
index="main" source="BI_events_http" "actor.tenant_id"="TENANT_CONFIGURED"
Replace source name with the ones you created and actor.tenant_id with the tenant configured.
-
Appendix
How to get event types?
Click on https://developer.beyondidentity.com/api/v0#tag/Events/operation/getEvents
Scroll down
Click on arrow next to 200
Click on body
Click on events
Scroll down
event_type lists all the events
Comments
0 comments
Please sign in to leave a comment.