Help CenterTo set up a ThreatLocker Detect policy to forward information to Splunk, you'll first need to set up an HTTP Event Collector within Splunk. If you need assistance creating the event collector, see Splunk's how-to video below:
Once you set up an HTTP Event Collector, you can create a ThreatLocker Detect policy (or a Cloud Detect policy) to send data via a REST API call to Splunk. In the following example, we'll set up a ThreatLocker Detect policy to log any Deny (Option to Request) into Splunk.
Within the ThreatLocker Portal, head to the ThreatLocker Detect page. Select the ‘Modules’ dropdown on the left-hand side of the page, then select ‘ThreatLocker Detect’.
If you are creating a Cloud Detect policy, select 'Microsoft 365' from the 'Modules' dropdown:
Then select the 'Microsoft 365 Detect' tab from the top right corner of the page.
For either option, select the ‘+ New Policy’ button found in the top left corner of the page.
A side panel will open titled ‘Create Endpoint Detect Policy’.
Here, enter the basic information of your policy including the name, description, and who the policy will apply to.
In the ‘Policy Conditions’ section, navigate to the dropdown menu labeled ‘If ALL Conditions Are True’. Select ‘Policy Action’ from this menu. Since we are wanting to send logs for any deny ONLY if the user can request access, we will select the ‘Matches’ operator and ‘Deny (Option to Request)’ value.
Next, navigate to the ‘Policy Actions’ section. From here, use the dropdown menu to select ‘Call Rest API (Client)’. This will allow us to send the data directly from the ThreatLocker Agent to our event collector.
Note: Sending a large number of logs through a REST API call can result in an increase of resource and network usage of the ThreatLocker Agent. Be sure to review your policy to ensure that it does not create any issues within your environment.
Once you've selected your action, you'll need to fill in the following information:
Method: This policy will utilize the POST method.
URL: Here, you will enter the URL of your Splunk HTTP Event Collector. You can locate the URL using the information included below:
Splunk Enterprise
The syntax for entering your Splunk Receiver URL is:
By default, the port is set up to 8088, and it is using HTTP. It can also be set up to use HTTPS.
Splunk Cloud Platform
The syntax for entering your Splunk Receiver URL is:
Note: Specifying a port number is only needed if you are not using the default port for Splunk Cloud.
Content Type: You can modify the content type of your API call. This is left to its default value in this example.
Headers: You will need to enter your event collector's authorization token here. For Splunk, you'll need to include the following header: Authorization: Splunk <token>. Replace <token> with the authorization token of your HTTP Event Collector.
Body: This is where you can modify the body to include any information you want to log into Splunk. You can use {"event":"", "sourcetype": ""} in the body, where event will contain all the data you'd like to send to Splunk and sourcetype is your own defined sourcetype. In the example below, we're sending over all the available information within the Unified Audit, using variables to insert different values in the body during processing.
Lastly, review the policy expiration setting and save the policy. The policy will be added to your organization and will be viewable on the ThreatLocker Detect Policies page. Select ‘Deploy Policies’ to deploy these new settings to your organization.
Once this ThreatLocker Detect policy is matched, the body is sent to the HTTP Event Collector and stored in Splunk.
