Skip to main content

Splunk Enterprise Integration Setup

This guide walks you through integrating Splunk Enterprise with RAD Security to enable querying security data from Splunk for enrichment and correlation within RAD Security. Splunk Enterprise provides powerful search and analysis capabilities for security data. RAD Security integrates with Splunk to pull relevant security events and logs for correlation with runtime security detections.

Prerequisites

Before you begin, ensure you have:
  • Admin access to Splunk Enterprise
  • Splunk Enterprise instance (version 8.0 or later recommended)
  • Ability to create authentication tokens in Splunk
  • Access to RAD Security workspace with integration permissions
Splunk Enterprise Only: RAD Security’s Splunk integration uses authentication tokens for querying data, which is only available in Splunk Enterprise. This feature is not available in Splunk Cloud free trials.
Service User Recommended: Create a dedicated service user for this integration rather than using a personal account. This ensures the integration continues working when team members leave or change roles.

Step 1: Enable Token Authentication

Configure authentication tokens to allow RAD Security to query data from Splunk.
1

Log in to Splunk Enterprise

Log in to Splunk Enterprise with administrator privileges
2

Enable Token Authentication

If token authentication is not already enabled:
  1. Navigate to Settings > Authentication methods
  2. Enable Token authentication
  3. Click Save
Token authentication is typically enabled by default in Splunk Enterprise 7.3 and later.
Create a dedicated service user for the RAD Security integration to ensure continuity and proper access control.
1

Navigate to User Management

Go to Settings > Users and authentication > Access controls > Users
2

Create New User

  1. Click New User
  2. Enter user details:
    • Username (e.g., “rad-security-service”)
    • Full name (e.g., “RAD Security Integration”)
    • Email address - Use a service email (e.g., rad-security@company.com)
    • Password - Create a secure password
3

Assign Roles

Assign the appropriate role(s) to the service user. At minimum, the user needs:
  • user role - Basic search capabilities
  • Custom role with read access to relevant indexes (optional, for more granular control)
You can create a custom role with only the specific permissions needed for RAD Security queries if you prefer least-privilege access.
4

Save User

Click Save to create the service user
Alternative: You can use an existing service account if one is already configured with appropriate search permissions.

Step 3: Create Authentication Token

1

Navigate to Token Management

Go to Settings > Tokens
2

Create New Token

  1. Click New Token
  2. Enter a Token name (e.g., “RAD Security Query Token”)
  3. Select the User - Choose the service user created in Step 2
  4. Set Audience - Leave as default (system) or set to specific audience if required
  5. Set Expiration time:
    • Recommended: 90 days or less for security best practices
    • Or set to match your organization’s token rotation policy
Setting an expiration date requires you to rotate the token periodically, but it’s a security best practice.
3

Generate Token

  1. Click Create
  2. Immediately copy the authentication token that appears
This is your only chance to view the token! If you lose it, you’ll need to revoke and create a new token. Store it securely in a password manager or secrets vault.
4

Note API Endpoint URL

Your Splunk API endpoint URL will be in the format:https://<splunk-host>:8089Replace <splunk-host> with your Splunk server hostname or IP address.
Port 8089 is the default Splunk management port. If your Splunk instance uses a different port, use that instead.
For detailed instructions, see Splunk’s token authentication documentation.

Step 4: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Splunk Enterprise integration with the following parameters:

Required Parameters

ParameterDescriptionExample
Search Service URLSplunk management API endpointhttps://splunk.company.com:8089
Search Service TokenAuthentication token from Step 3your-auth-token-here
The API URL should be your Splunk management port (default: 8089). This is different from the web interface port (8000) or HEC port (8088).
Port Configuration: If your Splunk instance uses a non-standard management port, update the port number in the API URL accordingly.

Verify Integration

After completing the setup, verify your integration is working:
1

Check Connection Status

  1. Navigate to Data Sources > Integrations > SIEM in RAD Security
  2. Locate your Splunk Enterprise integration
  3. Verify the connection status shows as Connected
Your Splunk Enterprise integration is now configured! RAD Security can query security data from Splunk for enrichment and correlation.

What Data Can Be Queried

RAD Security can query the following data types from Splunk:
  • Firewall logs
  • IDS/IPS alerts
  • Web application firewall (WAF) events
  • Network traffic logs
  • VPN connection logs
  • Login attempts (successful and failed)
  • Authentication events from Active Directory, LDAP, etc.
  • Privilege escalation events
  • Account creation/modification/deletion
  • Session management events
  • EDR/antivirus alerts
  • Process execution logs
  • File system changes
  • Registry modifications (Windows)
  • System performance metrics
  • Cloud service logs (AWS CloudTrail, Azure Activity, GCP Audit)
  • Container runtime events
  • Kubernetes audit logs
  • Infrastructure changes
  • API access logs
  • Application errors and exceptions
  • API request/response logs
  • Database query logs
  • Custom application events
  • Performance metrics
  • Indicator of Compromise (IoC) matches
  • Threat feeds integrated in Splunk
  • Malware detections
  • Command and control (C2) communications
  • Suspicious domain lookups

Use Cases

Security Event Enrichment

Enrich RAD Security runtime detections with historical context from Splunk logs.

Cross-Platform Correlation

Correlate RAD Security runtime events with network, endpoint, and application logs stored in Splunk.

Threat Investigation

Query Splunk for additional context when investigating security incidents detected by RAD Security.

Historical Analysis

Access historical security data from Splunk to establish baselines and identify anomalies.

IoC Validation

Validate indicators of compromise by querying Splunk’s threat intelligence and historical data.

Compliance Evidence

Pull compliance-relevant logs from Splunk to support RAD Security’s audit and compliance workflows.

Troubleshooting

Possible causes:
  • Token authentication not enabled in Splunk
  • Authentication token is incorrect or expired
  • Token was revoked
  • Service user account was disabled
Solution:
  • Verify token authentication is enabled: Settings > Authentication methods
  • Check token expiration date in Settings > Tokens
  • Ensure token is copied correctly (no extra spaces)
  • Verify the service user account is still active
  • Generate a new token if the old one was revoked or expired
  • Test authentication with curl: 
    curl -k https://<host>:8089/services/auth/login \
  -H "Authorization: Bearer <token>" \
  -d "output_mode=json"
Possible causes:
  • Incorrect API endpoint URL or port
  • Firewall blocking port 8089
  • Splunk management port not accessible
  • SSL certificate issues
Solution:
  • Verify API URL format: https://<host>:8089
  • Ensure firewall rules allow port 8089 from RAD Security
  • Check Splunk is listening on port 8089: netstat -an | grep 8089
  • Test connectivity: telnet <host> 8089
  • Verify SSL certificate is valid
  • Whitelist RAD Security IP addresses if needed
Possible causes:
  • Service user lacks search role
  • No read access to required indexes
  • Custom role missing necessary capabilities
  • Index-level permissions not configured
Solution:
  • Verify service user has at minimum the user role
  • Check index permissions: Settings > Access controls > Roles
  • Ensure user can search the indexes you need: | eventcount summarize=false index=*
  • Test search directly in Splunk UI as the service user
  • Grant additional capabilities if needed (list_inputs, search, etc.)
Possible causes:
  • Using Splunk Cloud free trial (query API not available)
  • Invalid SPL (Search Processing Language) query
  • Query timeout
  • Search quota exceeded
Solution:
  • Verify you’re using Splunk Enterprise (query API not available in Cloud free trials)
  • Test queries directly in Splunk UI before using in RAD Security
  • Simplify complex queries or add time range restrictions
  • Check search job limits: Settings > Server settings > Search
  • Review Splunk search logs: index=_internal source=*splunkd.log* search
Possible causes:
  • User doesn’t have access to the queried indexes
  • Time range doesn’t include relevant data
  • Query syntax is incorrect
  • Index doesn’t exist or is empty
Solution:
  • Verify the service user can access the target indexes
  • Check if data exists in the time range: Use Splunk UI to verify
  • Test with a simple query: index=_internal | head 10
  • Ensure the index name is spelled correctly
  • Check for typos in field names or values
Possible causes:
  • Token reached configured expiration time
  • Token was manually revoked
  • Service user password changed (doesn’t affect tokens but might be related)
Solution:
  • Check token status in Settings > Tokens
  • Create a new token following Step 3
  • Update the token in RAD Security integration settings
  • Consider setting longer expiration or implementing token rotation workflow
  • Document token expiration dates for proactive rotation
Possible causes:
  • Self-signed certificate not trusted
  • Certificate validation failed
  • Certificate expired or hostname mismatch
Solution:
  • For testing: You may need to configure RAD Security to accept self-signed certificates
  • For production: Use valid SSL certificates from a trusted CA
  • Verify certificate expiration: openssl s_client -connect <host>:8089
  • Check hostname matches certificate CN or SAN
  • Import self-signed certificate to trusted store if needed
Possible causes:
  • Too many concurrent searches
  • Search quota limits reached
  • API rate limiting enabled
Solution:
  • Check search concurrency limits: Settings > Server settings > Search
  • Review search quota usage for the service user
  • Reduce query frequency in RAD Security if possible
  • Increase search quotas for the service user if necessary
  • Schedule heavy queries during off-peak hours

Security Best Practices

Use Service Accounts

Always use a dedicated service account with a service email, never a personal account tied to an individual.

Rotate Tokens Regularly

Set token expiration periods and rotate before expiry. Recommended: 90 days or less.

Least Privilege Access

Grant only the minimum search permissions required. Use custom roles for granular access control.

Enable SSL/TLS

Always use HTTPS for the API endpoint. Use valid SSL certificates in production environments.

Monitor Token Usage

Regularly review authentication token usage in Splunk to detect anomalous query activity.

Restrict Network Access

Configure firewall rules to only allow port 8089 connections from RAD Security IP addresses.

Secure Token Storage

Store tokens in a secure password manager or secrets vault. Never commit tokens to version control.

Audit Search Activity

Regularly review search activity by the service user to ensure queries align with expected behavior.

Index-Level Permissions

Use index-level permissions to limit which data the service user can query.

Document Token Expiration

Maintain documentation of token expiration dates to enable proactive rotation.

Token Rotation

To rotate your Splunk authentication token:
1

Create New Token

  1. Log in to Splunk Enterprise as admin
  2. Navigate to Settings > Tokens
  3. Create a new authentication token for the same service user
  4. Use a different label to distinguish it from the old token
2

Update RAD Security Integration

Update the authentication token in RAD Security integration settings
3

Verify Connectivity

Test that queries still work with the new token
4

Revoke Old Token

Once verified, revoke the old token in Settings > Tokens
Token Rotation Schedule: Set calendar reminders 1-2 weeks before token expiration to ensure uninterrupted service.

Additional Resources

Authentication Tokens

Official Splunk guide to creating and managing authentication tokens

Splunk REST API

Complete reference for Splunk’s REST API

Search Reference

Splunk Search Processing Language (SPL) reference

User Access Control

Learn about Splunk users, roles, and permissions

Next Steps

SIEM Integrations Overview

Explore other SIEM integration options

Evidence Room

See how Splunk data enriches security findings

Runtime Security

Learn about RAD Security’s runtime detection capabilities

Data Sources

Connect additional security data sources