Re: Where i can find some information about Splunk...

Pawe_Nakielski · 04-11-2023 01:02 AM

Hi everyone, I would like to find some information about splunk integration. Mainly Im interested about differences between push and pull option for taking alert from splunk. Anybody have experience in this matter? Now we are using push (from splunk) to chronicle (on prem btw) but I cant handle how to customize onthology, where can I test alerts like in common way using integration (pull from splunk).

pigram86

Are you talking the Splunk pull connector into SOAR? If so this works well. You could test on the community edition

Pawe_Nakielski

No, I talking about addon for Splunk installed on Splunk which sends alert to soar. Where can I review raw event/alert like in connector?

Pawe_Nakielski

I mean, if Im using common connector (pull alerts) I can see payload of alert and can do mapping. How to 'load' alert if splunk send me alert via api.

pigram86

For our Splunk clients, we tried both and ended up on using a remote agent and the pull connector. We had better alerts and information using that method. It also depends how mature the Splunk instance is as well. YMMV

Dmitry_Sarakeev

just to add on this, as with push connector we are creating alerts "from splunk side", not with our usual approach with connectors, you cant see the alert/event raw data from connector page, but you should still be able to see event data from "Cases" page like here

View files in slack

The Google Cloud Security Community is upgrading platforms!

Read more and check out our FAQ.

Where i can find some information about Splunk integration