Splunk Notables & Alerts

Overview

The Splunk Notables and Alerts integration with DataBee enables security teams to forward notable events and alerts from Splunk to DataBee. This connection leverages Splunk’s event detection capabilities and DataBee’s centralized data lake to provide advanced correlation, entity resolution, and improved threat detection for enhanced security monitoring and response.

• Splunk: A platform for searching, monitoring, and analyzing machine-generated data, capable of identifying critical security events through its Notable Events Framework and Alert Actions.

• DataBee: A security fabric platform that ingests and analyzes data from multiple sources, addressing fragmented security landscapes and supporting organizations with multiple Security Information Management (SIEM) systems and other tools.

This integration allows seamless transmission of Splunk events into DataBee for deeper analysis and actionable insights.

Architecture

The integration follows a straightforward data flow connecting Splunk and DataBee:

1. Splunk Enterprise identifies noteworthy security events using saved searches.

2. Events are processed by the Notable Events Framework or Alert Actions.

3. The DataBee app for Splunk forwards these notables or alerts to DataBee via the HTTP Collector.

4. Data is ingested, processed, and stored in DataBee’s detection finding tables.

5. Security teams can analyze and respond to these findings within DataBee’s Security Fabric platform.

   

Configuration

Prerequisites

• A working Splunk instance (Splunk Enterprise or Splunk Cloud).

• Access to the DataBee console with appropriate permissions.

• Internet connectivity for HTTP Collector communication.

DataBee Setup

Follow these steps to configure DataBee to receive Splunk notables and alerts:

1. Access the DataBee Console: Log in and navigate to Data > Data Feeds.

2. Create a New Data Feed:

   1. Click + Add new Data Feed.

   2. Select Splunk Alerts (or Notables if using Splunk Enterprise Security).

      

3. Choose Ingestion Method: Select HTTP Collector for near real-time data collection.

   

4. Provide Feed Details:

   1. Enter a name for the data source (e.g., "Splunk Alerts Feed").

   2. Enter an owner’s email address.

      

5. Retain Defaults: Keep the default settings for data format and tags.

   

   
   

6. Generate API Key:

   1. Click Generate New API Key and save it securely for use in Splunk.

      

   2. Click Submit to create the feed.

7. Copy Datasource ID:

   1. Go to You Current Data Feeds, locate the Splunk Alerts feed card, and copy the datasource_ID.

      

8. Obtain Tenant ID: Navigate to your Profile in DataBee and copy the tenant ID.

   

9. Copy Endpoint URL: Go to the HTTP Collector tab within System Settings and copy the endpoint URL.

   

   

Splunk Setup

Follow these steps to configure Splunk to send notables and alerts to DataBee:

1. Install the DataBee App:

   1. Download the DataBee app for Splunk from Splunkbase.

   2. Install it in your Splunk instance using the standard app installation process (compatible with Splunk Enterprise and Splunk Cloud).

      

2. Configure the App:

   1. Open the DataBee app and go to the Configuration tab.

   2. Click Add and enter the following:

      1. API Key: From DataBee setup step 6.

      2. Datasource_ID: From DataBee setup step 7.

      3. Tenant ID: From DataBee setup step 8.

      4. Endpoint URL: From DataBee setup step 9.

         

3. Select Alerts: Use the multi-select dropdown to choose the alerts or notables to send to DataBee.

4. Save Configuration: Click Update to apply the settings.

How It Works

• When a notable event or alert action is triggered in Splunk (based on the selected alert actions), the DataBee app sends the event data to DataBee via the HTTP Collector.

• The data is transmitted in JSON format, including fields such as event ID, search name, and other metadata.

• In DataBee, the data is stored in the detection finding table, where it can be queried, visualized, and correlated with other security data for deeper insights and response actions.

Verification

To ensure the integration is working correctly:

1. Trigger a Test Event in Splunk:

   1. Run a test search in Splunk that generates a notable event or alert (e.g., a saved search with an alert action).

2. Check DataBee:

   1. In the DataBee console, navigate to the detection finding table.

   2. Verify that the event data appears with fields like event ID, search name, and other metadata.

3. Review the DataBee Splunk App Logs for any errors.  Search “index=*_internal* sourcetype=ta_databee_log
   

Benefits

• Centralized Data Lake: Consolidates security events for advanced correlation and entity resolution across multiple sources.

• Improved Threat Detection: Enhances visibility and analysis of threats with DataBee’s powerful analytics.

• Seamless Event Transmission: Automatically forwards Splunk notables and alerts to DataBee for streamlined security monitoring and response.