Splunk Integration (SIEM)

This document provides instructions on how to integrate Xint’s audit logs with Splunk.

Requirements

• User with Admin privileges in the Xint organization.
• Splunk HEC (HTTP Event Collector) configuration and network access.

Configuration Steps

1. Navigate to Menu: Go to [Settings] -> [SIEM].

2. Start Integration: Click the [Add Integration] button under the Splunk section to enter the configuration screen.

3. Enter Information: Provide the HEC details generated in Splunk.

   • HEC URL: Enter the full URL to receive logs (e.g., https://<splunk-host>:8088/services/collector/event).
   • HEC Token: Enter the authentication token issued by Splunk.
   • Index: Enter the name of the Splunk index where logs will be stored.

   Caution

   When entering the HEC URL, you must include both the protocol (https://) and the endpoint path (/services/collector/event).

4. Test Connection: Click the [Test Connection] button to verify that logs are successfully being sent with the provided information.

   Note

   During this test, a sample log is sent to Splunk. Upon success, the status will change to ‘Connected’.

5. Complete Integration: Click [Add Integration] to save your settings. Once the configuration is active, audit logs will be forwarded to Splunk in real-time.

SIEM Event Specifications

For the event specifications transmitted to Splunk, please refer to the Audit Log - Event Specifications section.