Splunk is one of the leading SIEM solutions.

When an alert is created in Aqua, it will also be created in Splunk. There are two options for creating Splunk integration in  Aqua CSPM:

• Splunk Add-On
• Splunk App

Splunk Add-on

Install the Splunk Add-On to bring alerts into your instance of Splunk. Add-ons are reusable components that can change the look and feel of the Splunk platform, add data sources, or share information between users. Add-ons can be as simple as a collection of one or more event-type definitions or saved searches. Unlike apps, add-ons have no standalone GUI component.

The Aqua Add-on for Splunk contains field mappings to make data from Aqua's Splunk integration complaint with the Common Information Model (CIM) standard. 

The Aqua integration will send data to Splunk in three different source types: scan_results, event, and alert. The scan_results fit into the CIM Vulnerabilities data model.

Splunk Add-on Installation

1. Log in to your Splunk Cloud account.
2. On the Apps menu, click Find More Apps.
3. Search for CloudSploit Add-On For Splunk and click Install.
   
4. In the prompt window, enter your Splunk.com credentials, agree to the terms, and click Login and Install.
5. On completion, you get are prompted with a success message. Click Done.

Splunk Add-on Integration with Aqua CSPM

1. Create an HTTP Event Collector input:
   1. In Splunk's web interface, select Settings->Data Inputs->HTTP Event Collector.
   2. In App: select CloudSploit Addon for Splunk.
   3. Click New Token. 
      • In the Name field, enter a name for the token.
      • (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.
      • (Optional) In the Description field, enter a description for the input.
      • (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
      • (Optional) Make edits to source type and confirm the index where you want HEC events to be stored.
   4. Click Next.
   5. Click Review.
   6. Confirm that all settings for the endpoint are what you want.
   7. If all settings are what you want, click Submit. Otherwise, click Back to make any changes.
   8. Copy the Token Value that Splunk Web displays and paste it into another document for reference later.
   9. (Optional) Click Track deployment progress to see progress on how the token has been deployed to the rest of the Splunk Cloud deployment. When you see a status of "Done", you can then use the token to send data to HEC.
2. Navigate to Settings > Data Inputs  > HTTP Event Collector > Global Settings  and make sure that the All Tokens option is enabled. Enable it if not and click Save. Take note of the HTTP port number here. The default setting is 8088.
3. Add a new Aqua integration at https://cloud.aquasec.com/integrations: 
   1. Navigate to CSPM > Integrations.
   2. Select Create Integration.
   3. Enter a name for the integration and select Splunk in the Integration Type dropdown. 
   4. For Splunk Endpoint, use the format https://\<hostname>:\<port>/services/collector/event. Hostname is the hostname of the Splunk server you added input to in step 1. Port will be the port from step 2. An example value for this setting would be  https://splunkforwarder01.mycompany.com:8088/services/collector/event
   5. Fill in your Token Value from step 1 in the Splunk Token field.
   6. Click Create Integration.
4. Add this integration to any and all events/scans you'd like to feed into Splunk from the Alerts page. 
5. To create a scan alert: 
   1. Navigate to CSPM > Alerts. 
   2. On the Alerts page, select the Scans tab.
   3. Select Create Alert. 
   4. Select the cloud type, one or more of the cloud accounts, plugins that will trigger this alert, and select Splunk under Integrations. 
   5. Click Create Alerts.

6. To create an event alert: 

1. Navigate to CSPM > Alerts. 
2. On the Alerts page, select the Events tab.
3. Select Create Alert. 
4. Select a cloud account and select Splunk under Integrations. 
5. Click Create Alerts.

Splunk App

The Splunk Apps are self-service extensions that have their own UI contexts. Apps offer specialized insight into data and systems with pre-configured dashboards, reports, data inputs, and saved searches. Apps can include new views and dashboards that completely reconfigure the way Splunk looks, or they can be as complex as a new program using Splunk's REST API. These dashboards are used for visualizing data provided by the Aqua Add-on for Splunk.

Splunk App Installation

1. Download Aqua App for Splunk available on the Splunkbase. 
2. Log in to your Splunk Enterprise account. 
3. On the Apps menu, click Manage Apps.
4. Click Install app from file.
5. In the Upload app window, click Choose File.
6. Locate the .tar.gz file you just downloaded, and then click Open or Choose.
7. Click Upload.

Splunk App Integration with Aqua CSPM

1. Create an HTTP Event Collector input:
   1. In Splunk Enterprise's web interface, select Settings->Data Inputs->HTTP Event Collector.
   2. In App: select CloudSploit Addon for Splunk.
   3. Click New Token. 
      • In the Name field, enter a name for the token.
      • (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.
      • (Optional) In the Description field, enter a description for the input.
      • (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
      • (Optional) Make edits to source type and confirm the index where you want HEC events to be stored.
   4. Click Next.
   5. Click Review.
   6. Confirm that all settings for the endpoint are what you want.
   7. If all settings are what you want, click Submit. Otherwise, click Back to make any changes.
   8. Copy the Token Value that Splunk Web displays and paste it into another document for reference later.
   9. (Optional) Click Track deployment progress to see progress on how the token has been deployed to the rest of the Splunk Cloud deployment. When you see a status of "Done", you can then use the token to send data to HEC.
2. Navigate to Settings > Data Inputs  > HTTP Event Collector > Global Settings  and make sure that the All Tokens option is enabled. Enable it if not and click Save. Take note of the HTTP port number here. The default setting is 8088.
3. Add a new Aqua integration at https://cloud.aquasec.com/integrations: 
   1. Navigate to CSPM > Integrations.
   2. Select Create Integration.
   3. Enter a name for the integration and select Splunk in the Integration Type dropdown. 
   4. For Splunk Endpoint, use the format https://\<hostname>:\<port>/services/collector/event. Hostname is the hostname of the Splunk server you added input to in step 1. Port will be the port from step 2. An example value for this setting would be  https://splunkforwarder01.mycompany.com:8088/services/collector/event
   5. Fill in your Token Value from step 1 in the Splunk Token field.
   6. Click Create Integration.
4. Add this integration to any and all events/scans you'd like to feed into Splunk from the Alerts page. 
5. To create a scan alert: 
   1. Navigate to CSPM > Alerts. 
   2. On the Alerts page, select the Scans tab.
   3. Select Create Alert. 
   4. Select the cloud type, one or more of the cloud accounts, plugins that will trigger this alert, and select Splunk under Integrations. 
   5. Click Create Alerts.

6. To create an event alert: 

1. Navigate to CSPM > Alerts. 
2. On the Alerts page, select the Events tab.
3. Select Create Alert. 
4. Select a cloud account and select Splunk under Integrations. 
5. Click Create Alerts.