Skip to main content

Splunk SIEM

The Entrust Identity as a Service Add-on for Splunk enables centralizing your Identity as a Service authentication and management audit events in Splunk™ Enterprise and Splunk™ Cloud. The Identity as a Service Splunk Add-On is located at https://splunkbase.splunk.com/app/4204.

To integrate Splunk SIEM with Identity as a Service, you need to complete the following steps:

Step 1: Add Splunk add-on to Identity as a Service

  1. In Identity as a Service, click > Security > Applications. The Applications page appears.

  2. Click Add. The Select an Application Template page appears.

  3. Do one of the following:

    • Select Identity as a Service Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
    • In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

  4. Click Splunk Add-on. The Add Splunk Add-on page appears.

  5. In the Application Name field, type a name for your application.

  6. Optional. In the Application Description field, type a description for your application.

  7. Optional. Add a custom application logo.Optional. Add a custom application logo.

    1. Click next to Application Logo. The Upload Logo dialog box appears.
    2. Click to select an image file to upload.
    3. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.
    4. If required, resize your image.
    5. Click OK.

  8. Click Submit. The Setup page appears.

    The Application ID is generated automatically.

  9. Do one of the following:

    • Click Copy to Clipboard to copy the credentials generated by Identity as a Service.
    • Click Download to download a JSON file that contains the credentials needed to integrate with Splunk SIEM.

    :::danger Attention

    Once you leave this page the credentials are no longer available. If you do not copy or download the data then you will need to recreate the application.

    :::

  10. Click Done.

Step 2: Add Identity as a Service Add-on to Splunk

  1. Log in to Splunk.
  2. Click Find More Apps.
  3. In the Browse More Apps field, search for Identity as a Service. The Entrust Identity as a Service Add-on for Splunk dialog box appears.
  4. Click Install.
  5. In the Login, page enter your Splunk.com username and password.
  6. Accept the terms of agreement.
  7. Click Login and Install.
  8. Click Restart Now on the Restart Splunk prompt.
  9. Click OK.
  10. Log in to Splunk as an administrator. The Identity as a Service Add-on appears in the Apps list.
  11. Click Identity as a Service Add-on. The Inputs page appears.
  12. Click Configuration. The Configuration page appears.
  13. Click Add-on Settings.
  14. In the Identity as a Service Splunk App Secret field, paste the contents that you generated in Step 1, Add Splunk add-on to Identity as a Service.
  15. Click Save.
  16. On the Inputs page, click Create New Input.
  17. Under Action click Edit. The Update Identity as a Service dialog box appears.
  18. In the Interval box enter the interval period, in seconds, that Splunk queries Identity as a Service for new audit events.
  19. In the Include field select the type of audits you want to ingest. Options include:
    • Authentication Events Only
    • Management Events Only
    • Both
  20. Click Add.