Company logoHelp Center
Visit www.threatlocker.com

Forwarding Information to Splunk using ThreatLocker Ops

3 min. readlast update: 03.25.2024

To set up a ThreatLocker Ops policy to forward information to Splunk, you'll first need to set up an HTTP Event Collector within Splunk. If you need assistance creating the event collector, see Splunk's how-to video below:

Once you set up an HTTP Event Collector, you can create a ThreatLocker Ops policy to send data via a REST API call to Splunk. In the following example, we'll set up a ThreatLocker Ops policy to log any Deny (Option to Request) into Splunk.

Within the ThreatLocker Portal, head to the ThreatLocker Ops page under Modules and click on '+ New Policy'.

Customize the name, icon, and description of the policy, as well as where you would like the policy to be applied.

Under policy conditions, select 'Policy Action'. Since we want to send logs for any deny but only if the user can request access, we'll select the Matches operator and 'Deny (Option to Request)' value.

Under the Policy Actions section, we'll select Call Rest API (Client). This will allow us to send the data directly from the ThreatLocker Agent to our event collector.

Note: Sending a large amount of logs through a REST API call can result in an increase of resource and network usage of the ThreatLocker Agent. Be sure to review your policy to ensure that it does not create any issues within your environment.

Once you've selected your action, you'll need to fill in the following information:

  • Method: This policy will utilize the POST method.
  • URL: Here, you will enter the URL of your Splunk HTTP Event Collector. You can locate the URL using the information included below:

Splunk Enterprise

The syntax for entering your Splunk Receiver URL is:

HTTP://YOUR_IP:8088/services/collector

By default, the port is set up to 8088, and it is using HTTP. It can also be set up to use HTTPS.

Splunk Cloud Platform

The syntax for entering your Splunk Receiver URL is:

HTTP://http-inputs-YOUR_IP/services/collector

Specifying a port number is only needed if you are not using the default port for Splunk Cloud.

  • Content type: You can modify the content type of your API call. This is left to its default value in this example.
  • Headers: You will need to enter your event collector's authorization token here. For Splunk, you'll need to include the following header: Authorization: Splunk <token>. Replace <token> with the authorization token of your HTTP Event Collector.
  • Body: This is where you can modify the body to include any information you want to log into Splunk. You can use {"event":"", "sourcetype": ""} in the body, where event will contain all the data you'd like to send to Splunk and sourcetype is your own defined sourcetype. In the example below, we're sending over all the available information within the Unified Audit, using variables to insert different values in the body during processing.

Lastly, review the policy expiration setting and save the policy. The policy will be added to your organization and will be viewable on the ThreatLocker Ops page. Don't forget to click 'Deploy Policies'. 

Once this ThreatLocker Ops policy is matched, the body is sent to the HTTP Event Collector and stored in Splunk.

Was this article helpful?