Splunk Cloud Connection
Org Admins can integrate tripwire alerts with Splunk Cloud using webhook connections. Once configured, NodeZero will send all tripwire alerts to the connection.
Configuring a Webhook
To connect a new vendor to receive tripwire alerts via a webhook:
- Navigate to the Settings page and go to Integrations.
- Click Create Webhook.
- Fill out the configuration details in the modal and save.
Testing a Webhook Configuration
To test a webhook configuration:
- In the Settings page, go to Integrations.
- Click the carrot (dropdown arrow) next to the webhook configuration you want to test.
- Click Test Webhook.
Updating a Webhook Configuration
To update a webhook configuration:
- In the Settings page, go to Integrations.
- Click the carrot next to the webhook configuration you wish to update.
- Click the three dots and select Edit Webhook.
- Make your changes in the modal and save.
Deleting a Webhook Configuration
To delete a webhook configuration:
- In the Settings page, go to Integrations.
- Click the carrot next to the webhook configuration you wish to delete.
- Click the three dots and select Delete Webhook.
- Confirm the deletion from the modal.
Viewing a Sample Payload
Tripwire alerts may vary depending on the type of tripwire. A sample event payload is provided, showing all possible fields with sample values that could be sent.
To view the sample payload:
- In the Settings page, go to Integrations.
- Click the carrot next to the webhook configuration.
- Click the three dots and select View Sample Payload.
Viewing Webhook Events
All webhook events are logged in the Integrations page under the Event Log section. The log includes all events that NodeZero attempted to send and their status.
- SENT indicates the event was successfully delivered.
- FAIL indicates the event failed to send.
Setting up a HTTP Event Collector (HEC) in Splunk Cloud
- Enable HEC:
- In Splunk Web, go to Settings > Data Inputs > HTTP Event Collector.
-
Click Global Settings and toggle All Tokens to Enabled.
-
Create a New HEC Token:
- Click New Token and configure your token (Name, Source Type, Index, etc.).
-
Click Next, then Review, and Submit.
-
Use the HEC Token:
- Use the token you created to configure the webhook as described above.
For more detailed information, refer to Splunk’s official documentation: Splunk HTTP Event Collector Documentation.