The Axur platform features a native integration with Splunk. With this functionality, you can achieve significant improvements in operational efficiency, incident response capabilities, and visibility into your IT infrastructure.
What is Splunk?
Splunk is a platform used for collecting, analyzing, and visualizing large volumes of data. The tool enables data correlation and real-time insights, making it easier to make decisions and identify issues before they become critical. For more information about Splunk, visit: https://www.splunk.com/
Benefits of implementation
Splunk is widely used by IT, cybersecurity, and operations teams to optimize system performance and security. Some of its functionalities include:
Data collection: integrates data from different sources, such as server logs, network devices, applications, and more.
Analysis: enables complex queries and interactive visualizations to better understand and correlate data.
Alerts and reports: provides the capability to set up event-based alerts and generate customized reports.
Dashboards: allows the creation of control dashboards that display relevant metrics and KPIs.
How to configure the Add-On
To implement this integration, follow the steps below:
Download the Axur Data Connector from the Splunk marketplace: https://splunkbase.splunk.com/app/7622
Open the add-on in Splunk and go to the "Inputs" tab.
Click the "Create New Input" button.
In the drop-down selection box, choose the option to create a ticket input or a credentials input, as shown in the image below.
The configuration of credential feeds is available starting from version 1.0.4
Fill in the information as follows:
Name: define a name for the input. The name should only contain letters, numbers, and/or underscores. Spaces are not allowed, and this is the only information that cannot be edited later.
Interval: set the interval in seconds at which Splunk will query this feed. The maximum interval for querying a feed is every 30 seconds.
Index: by default, Splunk suggests using "default," but you can switch to any index of your preference.
For better organization, if you have other data sources in Splunk besides Axur, we recommend creating a dedicated index for all Axur add-on feeds. To do this, go to Settings > Indexes > New index.
Integration Feed ID: the feed for your integration must be created directly on the Axur platform, on the API & Integrations > Feeds page. After creating it, paste the URL into the Integration Feed URL field in Splunk, as shown in the image below.
For more information, access the specific article about Feeds in the knowledge base.
In the add-on, go to the Configuration > Add-on Settings tab. In the API Token field, enter an API key from the Axur platform. To generate one, go to the API Keys tab on the platform.
Test mode: when this checkbox is selected, your requests will be in test mode, meaning the feed pointer will not advance. This is recommended when you want to test if the feed is bringing in the expected events. After testing, be sure to uncheck this box so your feed functions as expected, without bringing in duplicate events.
Attention! The feed will only return data that the API key user has access to. For example, if the feed searches for phishing incidents and the user with the applied key does not have access to this type of ticket, the feed will not retrieve any data.
Attention! To enable data ingestion, the add-on must be installed on your IDM or Heavy Forwarder.
That's it! Your integration is now configured. Just wait for the first queries to run, and the events will start appearing in your Splunk.
FAQ
How can I confirm that the integration is working?
To confirm that the integration is functioning, you can check the timestamp of the last request to your feed on the API & Integrations page, as shown in the image below.
Another option is to create a test ticket that matches the parameters defined in the feed and check if the event is retrieved by Splunk.
What to do when the feed is not returning data in Splunk?
Depending on the query frequency configured in the feed’s Input, it’s possible there are no new results to display. On the API & Integrations > Feeds page, you can view the list of feeds created by your company, as well as their status:
Green: the feed has received at least one request in the last 24 hours.
Yellow: the feed has not received any requests in the last 24 hours.
Empty: the feed has never received any requests.
If the status is green, it is likely that the configuration is correct, but there are no events matching the feed parameters or the permissions of the user making the requests (e.g., the user is attempting to retrieve Phishing tickets without authorization for this ticket type).
If the status is yellow or empty, there may be an incorrect configuration in Splunk. We recommend reviewing the setup steps.
I installed the add-on, and Splunk is returning a generic error. What should I do?
After installing an add-on in Splunk, it may be necessary to restart the services to apply the configurations correctly. Follow these steps to restart Splunk and resolve the issue:
Open Services in Windows:
Press Win + R, type services.msc, and press Enter.
Find the Splunk service:
Look for Splunkd Service in the list of services displayed.
Restart the service:
Right-click on Splunkd Service and select Restart.
Wait for the service to restart (this may take a few seconds).
Test again:
Once restarted, log in to Splunk again and try to proceed with the add-on configuration.
I upgraded the add-on and my integration stopped working. What should I do?
If you upgraded the Axur Data Connector to version 2.0.0 and your feed stopped working, this is expected behavior. This version introduced a breaking change: the integration now requires the Feed URL instead of the Feed ID.
To fix the issue:
1. Edit your existing input in Splunk
2. Replace the Feed ID with the full Feed URL
3. Save the configuration and wait for the next execution cycle
Note: Ensure you have administrator permissions on the machine to perform these actions. If the issue persists, check the Splunk logs for specific error messages or contact technical support.
If you have any questions, feel free to reach out at [email protected] 😊