This document provides a step by step description of the actions required to integrate your Splunk instance to your BETTER MTD console.
Through this integration, security incidents captured through the BETTER MTD platform can be populated into the Splunk platform for real-time visualization, security review, and proactive remediation.
- BETTER MTD console: 3.x and newer
- Splunk: 6.3.0 and newer
The network communication channels must be open between the BETTER MTD cloud platform and the Splunk instance being integrated.
In this step, you will create a user on your Splunk instance with the appropriate privileges that will later be used to connect with the BETTER MTD platform. You will also enable API access to your Splunk instance.
- 1.Log into your Splunk console.
- 2.Go to
Settings > Access controls > Rolesand create a new role.
- 3.Ensure that the role has the
- 4.Go to
Settings > Access controls > Usersand create a new user. Assign the role created previously to this new user.
- 5.Go to
Server Settings > General Settings, enable API access, and assign a management port (default is 8089).
- 6.Click on
In this step, you will configure your MTD tenant to communicate with your Splunk instance using the parameters configured in the previous section.
- 1.Log into your BETTER MTD admin console.
- 2.Go to
Integration > Othersand click on the
Splunkfrom the Integration selector.
- 4.Submit your Splunk parameters in the following screen:
- 1.Name: identifies your Splunk instance. Eg.
- 2.API Address: the IP or URL of your Splunk instance's API.
- 3.Port: the management port configured in the previous section.
- 4.Username and Password: the credentials of the user created in the previous section.
- 5.Source type: a string that identifies the MTD feed-in Splunk (default
threat_logsis used in the sample dashboard).
- 5.Click on