Links

Splunk Destination (Beta)

Configuring Splunk as an alert destination in your Panther Console

Overview

The Splunk alert destination is in open beta starting with Panther version 1.92, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Destinations are integrations that receive alerts from rules, policies, system health notifications, and rule errors. Panther supports configuring Splunk as the destination where you will receive alerts.
As a Splunk user, sending Panther alerts to Splunk allows you to leverage Panther's powerful Detections-as-Code functionality on a set of logs while keeping your existing triage, search, and remediation workflows in Splunk.
It may be particularly useful to include the matching event (or first matching event, if you are using deduplication) in your alert sent to Splunk—especially if the log on which a match was made is not also stored in Splunk. You can include the event (or a subset of it) by using the alert_context() function or the AlertContext key in your Python or YAML detection, respectively.

How to set up Splunk as an alert destination

To configure Splunk as an alert destination in Panther, you'll need to set up a Splunk HTTP Event Collector, get an authentication token, then set up the destination in Panther.

Step 1: Create an HTTP Event Collector in Splunk

  1. 1.
    Log in to your Splunk Console.
  2. 2.
    • Give the Event Collector a descriptive Name, such as Panther Alerts.
    • All other settings are optional.
  3. 3.
    Copy the HTTP Event Collector's Token Value from the final screen of the wizard.
    • You'll need this to configure the Panther alert destination.
    • If you need to reference the Token Value after completing the wizard, it can be found under Settings > Data Inputs > HTTP Event Collector.
  4. 4.
    • You will need this in the next step of this process.
    • If you're using a paid edition of Splunk Cloud, this might look like: https://http-inputs-<your-subdomain>.splunkcloud.com:443/services/collector/event

Step 2: Configure the Splunk alert destination in Panther

  1. 1.
    Log in to the Panther Console.
  2. 2.
    In the left sidebar, click Configure > Alert Destinations.
  3. 3.
    Click +Add your first Destination.
    • If you have already created Destinations, click Create New in the upper right side of the page to add a new Destination.
  4. 4.
    Click Splunk.
  5. 5.
    Fill out the form to configure the Destination:
    • Display Name: Enter a descriptive name.
    • HTTP Event Collector URL: Enter the Splunk HTTP Event Collector URI that you generated in the previous step of this documentation.
    • Auth Token: Enter the Token Value from the HTTP Event Collector that you configured on Splunk.
    • Severity: Select the severity level of alerts to send to this Destination.
    • Alert Types: Select the alert types to send to this Destination.
    • Log Type: By default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types.
    A form titled "Configure your Splunk Destination" has various fields, including Display Name, HTTP Event Collector URL, and Auth Token.
  6. 6.
    Click Add Destination.
  7. 7.
    On the final page, optionally click Send Test Alert to test the integration. When you are finished, click Finish Setup.

Additional Information on Destinations

For more information on alert routing order, modifying or deleting destinations, and workflow automation, please see the Panther docs: Destinations.