We’ve updated the ExtraHop Add-On for Splunk and the ExtraHop App for Splunk to version 1.2.0!
You can send ExtraHop detections to Splunk! The ExtraHop Detection SIEM Connector supports the ExtraHop integration with Splunk by formatting and transmitting detection data over syslog. The ExtraHop Add-On and App have been updated to work with this bundle.
For the ExtraHop Add-On for Splunk, we added the extrahop_detection sourcetype so Splunk can understand the data sent by the SIEM Connector bundle.
For the ExtraHop App for Splunk, we added a dashboard to show recent detections received by Splunk.
HOW IT WORKS
Create a data input for detections
The ExtraHop Add-On for Splunk contains a sourcetype for ExtraHop detections. In order to receive detections in Splunk, you must configure a data input for ExtraHop detections and configure the ExtraHop Detection SIEM Connector on your ExtraHop Command or Discover appliance.
Configure a data input in Splunk
Detection data can be sent from a Command or Discover appliance to Splunk through the syslog protocol. Complete the procedure in the Splunk documentation to get data from a TCP or UDP port. You must set the source type value to extrahop-detection.
Configure the ExtraHop Detection SIEM Connector
Follow the instructions on the ExtraHop Detection SIEM Connector bundle page to configure your ExtraHop appliance to send detections data to Splunk.
DOWNLOADS AND DOCUMENTATION