Skip to main content

Splunk Integration

The Infracast Splunk integration exports findings and discovery events to your Splunk deployment via the HTTP Event Collector (HEC). This enables security teams to correlate Infracast findings with other data sources in Splunk, build custom dashboards, and feed SIEM detection rules.

Prerequisites

  • Splunk Enterprise 8.x+ or Splunk Cloud
  • HEC enabled on your Splunk deployment
  • An HEC token configured with the appropriate index access
  • Network connectivity from Infracast to the Splunk HEC endpoint (TCP/8088 by default, TCP/443 for Splunk Cloud)

Setting Up the Splunk HEC Token

Splunk Enterprise:

  1. Log into Splunk Web as an administrator
  2. Go to Settings → Data Inputs → HTTP Event Collector
  3. Click New Token
  4. Name: infracast-findings
  5. Set the default index (e.g., infracast — create it if it doesn't exist)
  6. Set source type to infracast:finding (or _json for auto-detection)
  7. Click Review → Submit
  8. Copy the generated token value

Create the dedicated index (recommended):

  1. Go to Settings → Indexes → New Index
  2. Index name: infracast
  3. Configure retention as appropriate for your compliance requirements
  4. Save
tip

Use a dedicated infracast index to make it easy to write targeted SPL queries and set index-specific retention policies. Mixing Infracast data with other indexes makes cost allocation and access control harder.

Configuring the Integration

Navigate to Settings → Integrations → Add Integration → Splunk:

FieldDescription
HEC URLFull HEC endpoint URL, e.g., https://splunk.example.com:8088/services/collector/event
HEC TokenThe HEC token value
IndexSplunk index to write events to (e.g., infracast)
Source TypeSplunk source type (default: infracast:finding)
TLS VerifyVerify the Splunk HEC server's TLS certificate
Events to ExportSelect which events to send: findings, discovery completions, asset changes
Minimum SeverityOnly export findings at or above this severity (e.g., Medium)
Batch SizeNumber of events per HEC batch request (default: 100)

Event Format

Infracast sends JSON events to Splunk's HEC. Each event follows this structure:

{
  "time": 1718000000.000,
  "host": "infracast",
  "source": "infracast",
  "sourcetype": "infracast:finding",
  "index": "infracast",
  "event": {
    "event_type": "finding",
    "finding_id": "fnd-abc123",
    "title": "Critical vulnerability CVE-2024-1234 on web-server-01",
    "severity": "critical",
    "asset_id": "aws.ec2.instance.i-0abc123",
    "asset_name": "web-server-01",
    "asset_type": "aws.ec2.instance",
    "plugin": "aws",
    "created_at": "2024-06-10T12:00:00Z",
    "cve": "CVE-2024-1234",
    "cvss_score": 9.8,
    "remediation": "Apply patch X to resolve this vulnerability.",
    "tenant_id": "tenant-xyz"
  }
}

Example Splunk Queries

/* All critical findings in the last 7 days */
index=infracast sourcetype="infracast:finding"
  event.severity=critical earliest=-7d
| stats count by event.asset_name, event.title
| sort -count

/* Findings by asset type */
index=infracast sourcetype="infracast:finding"
| stats count by event.asset_type
| sort -count

/* New assets discovered today */
index=infracast sourcetype="infracast:finding" event.event_type=asset_created earliest=-24h
| table event.asset_name, event.asset_type, event.plugin

Troubleshooting

400 Bad Request from HEC

Symptom: Events fail to send; logs show HEC error: 400

Checks:

  1. Verify the HEC token is valid and enabled: Splunk Web → Settings → Data Inputs → HTTP Event Collector
  2. Verify the index name in Infracast matches an index the HEC token has access to
  3. If source type is custom (e.g., infracast:finding), ensure it exists or use _json

403 Forbidden from HEC

Symptom: Error: HEC request failed: 403 Forbidden

Checks:

  1. Verify the HEC token has not been disabled
  2. Verify the token is allowed to write to the configured index

Events appear in Splunk but with wrong timestamps

Symptom: Events in Splunk show the ingestion time rather than the event time

Fix: Ensure the time field in the HEC payload is being parsed. In the Splunk source type config, enable Timestamp extraction from the time JSON field.

Splunk Cloud HEC endpoint

For Splunk Cloud, the HEC endpoint URL format is:

https://http-inputs-<your-stack>.splunkcloud.com/services/collector/event

Use port 443 (not 8088). TLS verification should be enabled.