Company logoHelp Center
Visit www.threatlocker.com

Splunk Integration

2 min. readlast update: 06.18.2021
Note: Initial configuration must be completed on the ThreatLocker side after fully finishing the integration setup - after initial configuration, please contact ThreatLocker Support and allow 1 full working day in order to allow us to complete this process.

View in Browser

To set up an integration between ThreatLocker and Splunk, you will first need to set up your HTTP Event Collector in Splunk. If you need assistance with creating your event collector, see Splunk's how-to video here: https://www.youtube.com/watch?v=9awwyjORWO8.  

To set up the integration within ThreatLocker, navigate to the Integrations tab in the ThreatLocker portal.  

undefined

Then you will select the 'New Integration' button at the top of the screen.

undefined

A window will open with a list of all the integrations ThreatLocker currently supports. Click the 'Setup' button located next to Splunk. 

undefined

Then the setup window will open. You will need to input your Splunk Receiver URL and your Splunk Token.

undefined

Splunk Enterprise

The syntax for entering your Splunk Receiver URL is:

HTTP://YOUR_IP:8088/services/collector

By default, the port is set up to 8088, and it is using HTTP. It can be set up to use HTTPS as well.  

Splunk Cloud Platform

The syntax for entering your Splunk Receiver URL is:

HTTP://http-inputs-YOUR_IP/services/collector

Specifying a port number is only needed if you are not using the default port for Splunk Cloud.

Splunk Token Location (Enterprise and Cloud)

To find your Splunk Token, you will need to go to Settings > Date Inputs > HTTP Event Collector within Splunk. 

After entering your Reciever URL and Token, click the 'Save' button.

Enabling the Splunk Integration on an Application Policy

You will need to select which application policies you want to enable this Splunk integration on individually.

Navigate to the Application Control > Policies page in the ThreatLocker portal.

undefined

Locate the policy or policies that you want to be logged in Splunk. Click the pencil icon (edit button) next to the policy of your choice.  

Scroll all the way to the bottom of the policy window, and select 'Yes' in the 'Do you want to record this policy in a splunk instance when it is matched?' box. Then click the 'Save' button in the top left corner of the policy window to save the change.  

undefined

Be sure to click the 'Deploy Policies' button on the main page to push this policy change out to your endpoints.  

Was this article helpful?