This note describes how to configure CloudGuard to send compliance findings to Splunk. This involves the configuration of an HTTP Event Collector on your Splunk instance, and the configuration of a Compliance Notification Policy on CloudGuard.
There are many ways to configure Splunk Event Collectors (see here for details). The steps below will describe a typical case, for Splunk Cloud.
Configure a HTTP Event Collector on Splunk (cloud)
- On your Splunk instance, navigate to Settings, and then select Data Input.
- In the Local inputs list, select HTTP Event Collector.
- Click New Token (upper right).
- Enter a name for the event collector, and then click Next.
- In the Input Settings, select the 'main' index in the Index section, then click Review.
- Click Submit.
- Copy the Token Value.
Configure a Dome9 Notification Policy
- On the Dome9 Web Application, navigate to Notifications in the Compliance & Governance menu.
- Click ADD NOTIFICATION.
- Enter a name & description for the policy.
- Select Send to HTTP Endpoint in the Immediate Notification section.
- Copy the URL of your Splunk instance, and enter this in the Endpoint URL field. Press Test to check the connection.
- From the Authentication Type drop down list, select Basic.
- Paste the Splunk token (from the previous section) in the Password field, and enter any value for the Username.
- Select Splunk - JSON.
- Check the option to use self-signed certificates.
- Click SAVE.
Configure Dome9 Compliance Policies to use the Notification Policy
In order to send findings to Splunk, using the integration described above, the Dome9 Notification Policy must be associated with a Continuous Compliance Policy. Follow the steps below to do this. Once this is done, findings discovered by this compliance policy will be sent to Splunk as soon as they are discovered (findings already sent from an earlier Dome9 policy assessment will be not sent again).
- In the Dome9 Web Application, navigate to Policies in the Compliance & Governance menu.
- If you already have a continuous compliance policy, and want to send its findings to Splunk, click the edit icon on the right.
- Select the Notification Policy created above, and the click SAVE.
- Alternatively, ADD POLICY to create a new policy. Follow the steps here to create the policy. Select the Notification Policy created above as one of the notifications.
Note, to send previously found findings to Splunk, select the Compliance Policy in the list on the Policies page, and click on Send all Alerts, on the right
View findings on Splunk
All new findings for this policy will be sent to Splunk.
- Select Search & Reporting in the main Apps menu.
- Click Data Summary.
- Click on the link for your instance, for a list of Dome9 findings (Count shows the total number of findings).
The list shows each finding as a JSON block.