Using this integration, you can easily send Detectify data such as started scans, finished scans, and findings of various severity into your Splunk dashboard in your preferred format. The notification formats available are depending on which price plan you are on. Here's how to set up the Splunk integration:
1. Log in to your Splunk account and go to Settings > Data input
2. Set up a new HTTP Event Collector. For more information, see the documentation. Do not enable indexer acknowledgement.
3. In your Event Collector list, collect the Token Value.
Make sure that all tokens are enabled (under global settings).
4. Navigate to Integrations
Choose a scan profile on your Detectify dashboard by clicking on it, then navigate to Scan Profile Settings > Integrations.
Find Splunk in the list of integrations and click configure.
5. Type in your Splunk details.
For Splunk Enterprise the endpoint format is: <protocol>://<host>:<port>/services/collector
Example: https://mysplunkserver.example.com:8088/services/collector
For more information, see the documentation
For Splunk Cloud the endpoint format is: https://input-<host>.cloud.splunk.com:8088/services/collector
Example: https://input-prd-p-xq2bzd1q1wq6.cloud.splunk.com:8088/services/collector
For more information, see the documentation
Type in your Authorisation Token from step 3 above.
6. Select notification types
You can now select the events you would like Detectify to send to your Splunk dashboard as notifications. Events include vulnerabilities in 3 severity categories (see description below) and scan finished.
Scan finished contains the number of finding in the three categories, the scan profile token, the report token and the report URL for the scan.
{
"high_level_findings":"{nr. of high level findings}",
"medium_level_findings": "{nr. of medium level findings}",
"low_level_findings": "{nr. of low level findings}",
"scan_profile_token": "{scan profile token}",
"token": "{report token}",
"url": "{report URL}",
}
7. Select notification format
Select the format in which you would like to send the Detectify data. Note that the options available will depend on which price plan you are currently on.
- Splunk vulnerability - Formatted according to the Splunk Common Information Model Vulnerability. For more information, see the documentation. Only available for Enteprise plan.
{ "category": "{OWASP classification string conversion}", "cvss": "{CVSS score}", "dest": "{endpoint/hostname of scanprofile}", "dvc":"scanner", "severity":"{finding severity}", "signature": "{finding title}", "url": "{finding URL}", "vendor_product": "detectify", "xref": "{finding details url}" } - Detectify finding summary - Contains summarized information on the finding, such as title, CVSS score, tags and location.
{ "uuid": "{finding UUID}", "signature": "{finding signature}", "url": "{finding URL}", "title": "{finding title}", "found_at": "{found at URL}", "score": [ { "version": "{CVSS version}", "score": "{CVSS score}", "vector": "{CVSS vector}" }, ... ], "tags": [ { "type": "{tag type}", "value": "{tag value}" }, ... ], } - Detectify finding details - Contains complete information on the finding including description, OWASP category, request/response payload and vulnerabable resources. Only available for Enteprise plan.
{ "uuid": "{finding UUID}", "report_token": "{report token}", "scan_profile_token": "{scan profile token}", "url": "{finding URL}", "title": "{finding title}", "definition": { "uuid": "{definition UUID}", "description": "{description}", "risk": "{risk}", "references": [ { "uuid": "{reference UUID}", "link": "{reference URL}", "name": "{reference name}", "source": "{reference source name}", "group": "{reference group}" }, ... ] }, "signature": "{finding signature}", "found_at": "{found at URL}", "timestamp": "{found at time}", "score": [ { "version": "{CVSS version}", "score": "{CVSS score}", "vector": "{CVSS vector}" }, ... ], "owasp": [ { "year": "{OWASP classification year}", "classification": "{OWASP classification}" }, ... ], "cwe": "{CWE ID}", "details": [ { "uuid": "{detail UUID}", "type": "{detail type}", "name": "{detail name}", "value": "{detail value}" }, ... ], "tags": [ { "type": "{tag type}", "value": "{tag value}" }, ... ], "target": "{target description depending on target type}", "vulnerable_resources": { "vulnerable_headers": [ { "uuid": "{header UUID}", "name": "{header name}", "direction": "{header direction}" }, ... ], "expected_headers": [ { "uuid": "{header UUID}", "name": "{header name}", "direction": "{header direction}", "value": "{expected value}" }, ... ], "vulnerable_variables": [ { "uuid": "{variable UUID}", "name": "{variable name}", "method": "{HTTP method}" }, ... ], "vulnerable_cookies": [ { "uuid": "{cookie UUID}", "name": "{cookie name}", }, ... ] } "command_lines": [ { "uuid": "{command line UUID}", "unix": "{UNIX command line}", "windows": "{Windows command line}" }, ... ], "highlights": [ { "uuid": "{highlighted node UUID}", "field": "{highlighted field name}", "offset": "{highlight offset}", "length": "{highlight length}" }, ... ] }
You can test your settings and once you are happy, confirm them by clicking Save. You are now good to go! You are now good to go!
Need help?
If you’re experiencing problems with our Splunk integration, send an email with your details and a description of the issue to support@detectify.com and we will do our best to help.