Through this integration, security incidents captured through the BETTER MTD platform can be populated into the Splunk platform for real-time visualization, security review, and proactive remediation.
BETTER MTD console: 3.x and newer
Splunk: 6.3.0 and newer
The network communication channels must be open between the BETTER MTD cloud platform and the Splunk instance being integrated.
In this step, you will create a user on your Splunk instance with the appropriate privileges that will later be used to connect with the BETTER MTD platform. You will also enable API access to your Splunk instance.
Log into your Splunk console.
Settings > Access controls > Roles and create a new role.
Ensure that the role has the
Settings > Access controls > Users and create a new user. Assign the role created previously to this new user.
Server Settings > General Settings , enable API access, and assign a management port (default is 8089).
In this step, you will configure your MTD tenant to communicate with your Splunk instance using the parameters configured in the previous section.
Log into your BETTER MTD admin console.
Integration > Others and click on the
Add Account button.
Splunk from the Integration selector.
Submit your Splunk parameters in the following screen:
Name: identifies your Splunk instance. Eg.
API Address: the IP or URL of your Splunk instance's API.
Port: the management port configured in the previous section.
Username and Password: the credentials of the user created in the previous section.
Source type: a string that identifies the MTD feed-in Splunk (default
threat_logs is used in the sample dashboard).
We have provided a sample Splunk dashboard to validate your BETTER MTD integration and to provide a starting point for visualizing your mobile threat defense incident feed.
Download the sample.
Go to Splunk apps.
Install from file. Select the downloaded archive on the upload screen.
The side view now shows the new dashboard.