Configure Splunk as a Log system for CloudGuard Dome9
This note describes how to configure Dome9 to send compliance findings to Splunk. This involves the configuration of an HTTP Event Collector on your Splunk instance, and the configuration of a Compliance Notification Policy on Dome9.
Configure a HTTP Event Collector on Splunk (cloud)
- On your Splunk instance, navigate to Settings, and then select Data Input.
- In the Local inputs list, select HTTP Event Collector.
- Click New Token (upper right).
- Enter a name for the event collector, and then click Next.
- In the Input Settings, select the 'main' index in the Index section, then click Review.
- Click Submit.
- Copy the Token Value.
Note: there are different configurations for the HTTP Event Collector. You can also configure an Event Collector for the enterpise (on-prem) version of Splunk. See here for more details.
Note: the Splunk endpoint cannot use self-signed certificates.
Configure a Dome9 Notification Policy
- On the Dome9 Web Application, navigate to Notifications in the Compliance & Governance menu.
- Click ADD NOTIFATION.
- Enter a name & description for the policy.
- Select Send to HTTP Endpoint in the Immediate Nofitication section.
- Copy the URL of your Splunk instance, prefix it with input-, and add :8088/services/collector on the end, to obtain the HTTP Endpoint URL. For example, the URL https://prd-p-s77q769mwtsd.cloud.splunk.com becomes https://input-prd-p-s77q769mwtsd.cloud.splunk.com:8088/services/collector. Enter this in the Endpoint URL field. Press Test to check the connection.
- From the Authentication Type dropdown list, select Basic.
- Paste the Splunk token (from the previous section) in the Password field, and enter any value for the Username.
- Select Splunk - JSON.
- Click SAVE.
Configure Dome9 Compliance Policies to use the Notification Policy
In order to send findings to Splunk, using the integration descrbed above, the Dome9 Notification Policy must be associated with a Continuous Compliance Policy. Follow the steps below to do this. Once this is done, findings discovered by this compliance policy will be sent to Splunk as soon as they are discovered (findings already sent from an earlier Dome9 policy assessment will be not sent again).
- In the Dome9 Web Application, navigate to Policies in the Compliance & Governance menu.
- If you already have a continuous compliance policy, and want to send its findings to Splunk, click the edit icon on the right.
- Select the Notification Policy created above, and the click SAVE.
- Alternatively, ADD POLICY to create a new policy. Follow the steps here to create the policy. Select the Notification Policy created above as one of the notifications.
Note, to send previously found findings to Splunk, select the Compliance Policy in the list on the Policies page, and click on Send all Alerts, on the right
View findings on Splunk
All new findings for this policy will be sent to Splunk.
- Select Search & Reporting in the main Apps menu.
- Click Data Summary.
- Click on the link for your instance, for a list of Dome9 findings (Count shows the total number of findings).
The list shows each finding as a JSON block.