To set up a ThreatLocker Detect policy to forward information to Splunk, you'll first need to set up an HTTP Event Collector within Splunk. If you need assistance creating the event collector, see Splunk's how-to video below:
Once you set up an HTTP Event Collector, you can create a ThreatLocker Detect policy to send data via a REST API call to Splunk. In the following example, we'll set up a ThreatLocker Detect policy to log any Deny (Option to Request) into Splunk.
Within the ThreatLocker Portal, head to the ThreatLocker Detect page under Modules and click on '+ New Policy'.
Customize the name, icon, and description of the policy, as well as where you would like the policy to be applied.
Under policy conditions, select 'Policy Action'. Since we want to send logs for any deny but only if the user can request access, we'll select the Matches operator and 'Deny (Option to Request)' value.
Under the Policy Actions section, we'll select Call Rest API (Client). This will allow us to send the data directly from the ThreatLocker Agent to our event collector.
Note: Sending a large amount of logs through a REST API call can result in an increase of resource and network usage of the ThreatLocker Agent. Be sure to review your policy to ensure that it does not create any issues within your environment.
Once you've selected your action, you'll need to fill in the following information:
- Method: This policy will utilize the POST method.
- URL: Here, you will enter the URL of your Splunk HTTP Event Collector. You can locate the URL using the information included below:
Splunk Enterprise
The syntax for entering your Splunk Receiver URL is:
HTTP://YOUR_IP:8088/services/collector
By default, the port is set up to 8088, and it is using HTTP. It can also be set up to use HTTPS.
Splunk Cloud Platform
The syntax for entering your Splunk Receiver URL is:
HTTP://http-inputs-YOUR_IP/services/collector
Specifying a port number is only needed if you are not using the default port for Splunk Cloud.
- Content type: You can modify the content type of your API call. This is left to its default value in this example.
- Headers: You will need to enter your event collector's authorization token here. For Splunk, you'll need to include the following header:
Authorization: Splunk <token>
. Replace<token>
with the authorization token of your HTTP Event Collector. - Body: This is where you can modify the body to include any information you want to log into Splunk. You can use
{"event":"", "sourcetype": ""}
in the body, whereevent
will contain all the data you'd like to send to Splunk andsourcetype
is your own defined sourcetype. In the example below, we're sending over all the available information within the Unified Audit, using variables to insert different values in the body during processing.
Lastly, review the policy expiration setting and save the policy. The policy will be added to your organization and will be viewable on the ThreatLocker Detect page. Don't forget to click 'Deploy Policies'.
Once this ThreatLocker Detect policy is matched, the body is sent to the HTTP Event Collector and stored in Splunk.