InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Splunk Integration

Overview

The Splunk integration provides DivvyCloud the ability to send notification messages to your Splunk indexes, and is compatible with all DivvyCloud resources. As an example, you can send high priority security alerts when noncompliant Security Group rules are provisioned, such as SSH open to the world.

📘

Integration Overview

For general information about Integrations (editing and deleting) refer to the Integrations Overview page.

Prerequisites

  • A functioning DivvyCloud installation with an admin role
  • The appropriate permissions to access the Splunk instance details

For any questions or concerns, reach out to [email protected].

Configure DivvyCloud to Use Splunk

Get Your Splunk Details

To get Access Points for your Splunk instance, refer to the following steps:

1. Access your Splunk instance.

2. Note the name of the instance.

  • In the example below, the instance name is 'splunk.divvycloud.net'.
  • You will also need the username and password for that instance.

2-b. Alternatively DivvyCloud also supports connecting to Splunk through an HTTP Event Collector via a token.

  • Details on this method are outlined in Splunk's documentation here.
  • For this connection method you will need to create/save your HEC Token and HEC URL.
Getting Your Splunk Instance NameGetting Your Splunk Instance Name

Getting Your Splunk Instance Name

Configure the DivvyCloud Splunk Integration

1. Launch DivvyCloud and navigate to Administration --> Integrations.
2. Locate Splunk and select "Edit".

Splunk Integration AccessSplunk Integration Access

Splunk Integration Access

3. Enter the Splunk Integration details based on your preferred connection method.

For connection via instance/username/password provide the following:

  • The instance URL (you obtained above)
  • Instance username
  • Instance password
  • Your port - the port specification refers to the management port of your Splunk instance. (The default value set in Splunk is 8089.)
  • Timeout(seconds) - DivvyCloud populates this by default. This value can be modified to resolve timeout issues.
  • HTTPS Scheme - this option refers to the protocol used to communicate with your Splunk instance. HTTPS/SSL is enabled by default in Splunk, but verify this is the case with your own Splunk instance.
  • Send Product API Activity - this option enables DivvyCloud to send API activity to your Splunk instance, e.g., Compliance Report generation, custom Insight creation, etc.

For connection via HTTP Event Collector (HEC), you are only required to provide

  • the HEC Token
  • the HEC URL
Splunk Integration FormSplunk Integration Form

Splunk Integration Form

4. Click to "Save" your configuration. You should receive a message (in green), confirming you have successfully saved the settings.

  • Once your setup is complete, check out our documentation on Jinja2 templating to improve your messaging.

Example Bot Creation Using Splunk

After successfully setting up Splunk, you can configure the Splunk action within your DivvyCloud Bot configurations. In the example shown below, you can specify the Splunk index where you’d like the events to go, as well as the message sent for each event.

If the index of your choosing isn’t on the server, one will be created for you and all the events will go to that index. For more information on creating an index for Splunk, click here.

Creating a DivvyCloud Bot with SplunkCreating a DivvyCloud Bot with Splunk

Creating a DivvyCloud Bot with Splunk

Once you’ve run your Bot with the Splunk action, go to your Splunk Instance window and view your indexes.

You should now see all of the noncompliant resources that DivvyCloud identified logged as events in the Splunk index.

Splunk Index resultsSplunk Index results

Splunk Index results

Updated 2 months ago

Splunk Integration


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.