How to set up an integration with Splunk

Using this integration, you can easily send Detectify data such as findings of various severity into your Splunk dashboard in your preferred format. The notification formats available are depending on which price plan you are on. Here's how to set up the Splunk integration:

 

1. Log in to your Splunk account and go to Settings > Data input

 

2. Set up a new HTTP Event Collector. For more information, see the documentation. Do not enable indexer acknowledgement. 

3. In your Event Collector list, collect the Token Value.


Make sure that all tokens are enabled (under Global Settings).


4. Navigate to Integrations

Choose Apps -> Splunk -> Create Feed




5. Type in your Splunk details.

For Splunk Enterprise the endpoint format is: <protocol>://<host>:<port>/services/collector

Example: https://mysplunkserver.example.com:8088/services/collector

For more information, see the documentation


For Splunk Cloud the endpoint format is: https://input-<host>.cloud.splunk.com:8088/services/collector

Example: https://input-prd-p-xq2bzd1q1wq6.cloud.splunk.com:8088/services/collector  

For more information, see the documentation


Type in your Authorisation Token from step 3 above.




6. Select notification format

Select the format in which you would like to send the Detectify data.

 

  • Splunk vulnerability - Formatted according to the Splunk Common Information Model Vulnerability. For more information, see the documentation
    {
      "category": "{OWASP classification string conversion}",
      "cvss": "{CVSS score}",
      "dest": "{endpoint/hostname of scanprofile}",
      "dvc":"scanner",
      "severity":"{finding severity}",
      "signature": "{finding title}",
      "url": "{finding URL}",
      "vendor_product": "detectify",
      "xref": "{finding details url}"
    }
  • Detectify finding summary - Contains summarized information on the finding, such as title, CVSS score, tags and location.
    {
      "uuid": "{finding UUID}",
      "signature": "{finding signature}",
      "url": "{finding URL}",
      "title": "{finding title}",
      "found_at": "{found at URL}",
      "score": [
        {
          "version": "{CVSS version}",
          "score": "{CVSS score}",
          "vector": "{CVSS vector}"
        },
        ...
      ],
      "tags": [
        {
          "type": "{tag type}",
          "value": "{tag value}"
        },
        ...
      ],
    }
  • Detectify finding details - Contains complete information on the finding including description, OWASP category, request/response payload and vulnerable resources.
    {
      "uuid": "{finding UUID}",
      "report_token": "{report token}",
      "scan_profile_token": "{scan profile token}",
      "url": "{finding URL}",
      "title": "{finding title}",
      "definition": {
        "uuid": "{definition UUID}",
        "description": "{description}",
        "risk": "{risk}",
        "references": [
          {
            "uuid": "{reference UUID}",
            "link": "{reference URL}",
            "name": "{reference name}",
            "source": "{reference source name}",
            "group": "{reference group}"
          },
          ...
        ]
      },
      "signature": "{finding signature}",
      "found_at": "{found at URL}",
      "timestamp": "{found at time}",
      "score": [
        {
          "version": "{CVSS version}",
          "score": "{CVSS score}",
          "vector": "{CVSS vector}"
        },
        ...
      ],
      "owasp": [
        {
          "year": "{OWASP classification year}",
          "classification": "{OWASP classification}"
        },
        ...
      ],
      "cwe": "{CWE ID}",
      "details": [
        {
          "uuid": "{detail UUID}",
          "type": "{detail type}",
          "name": "{detail name}",
          "value": "{detail value}"
        },
        ...
      ],
      "tags": [
        {
          "type": "{tag type}",
          "value": "{tag value}"
        },
        ...
      ],
      "target": "{target description depending on target type}",
      "vulnerable_resources": {
        "vulnerable_headers": [
          {
            "uuid": "{header UUID}",
            "name": "{header name}",
            "direction": "{header direction}"
          },
          ...
        ],
        "expected_headers": [
          {
            "uuid": "{header UUID}",
            "name": "{header name}",
            "direction": "{header direction}",
            "value": "{expected value}"
          },
          ...
        ],
        "vulnerable_variables": [
          {
            "uuid": "{variable UUID}",
            "name": "{variable name}",
            "method": "{HTTP method}"
          },
          ...
        ],
        "vulnerable_cookies": [
          {
            "uuid": "{cookie UUID}",
            "name": "{cookie name}",
          },
          ...
        ]
      }
      "command_lines": [
        {
          "uuid": "{command line UUID}",
          "unix": "{UNIX command line}",
          "windows": "{Windows command line}"
        },
        ...
      ],
      "highlights": [
        {
          "uuid": "{highlighted node UUID}",
          "field": "{highlighted field name}",
          "offset": "{highlight offset}",
          "length": "{highlight length}"
        },
        ...
      ]
    }

7. Select assets and notification types

If you choose "Select all", all your future assets will automatically be included into your Splunk feed.


You can now select the events you would like Detectify to send to your Splunk dashboard as notifications. Events include vulnerabilities in 3 severity categories as well as information findings. You can also choose to receive notifications with new findings only.



Once you are happy with the configuration, confirm by clicking Save feed. You are now good to go!


Need help?


If you’re experiencing problems with our Splunk integration, send an email with your details and a description of the issue to support@detectify.com and we will do our best to help.