Integrate with Splunk

Set up an integration to allow Sysdig runtime vulnerabilities to be fetched, triaged, and orchestrated by Splunk, using a Splunk Technical Add-On.

The official Sysdig Splunk Technical Add-on (TA), available from the Splunk app store (Splunkbase), leverages the Sysdig APIs to extract the Vulnerability Management runtime findings for Workloads and Hosts. This allows Security Operation Centers to ingest vulnerability information produced by Sysdig into Splunk natively.

See Sysdig VM Splunk TA on Splunkbase for more information.

The Splunk TA for Sysdig Vulnerabilities is distinct from the one used for Event Forwarding. See Forwarding to Splunk.

Prerequisites

  • Splunk Enterprise 9.1.1+
  • Sysdig SaaS Platform with Vulnerability Management Scanning in Runtime (Workload and Host)
  • Secure API token with Vulnerability Management Scan Results authorization. See Service Accounts.

Configure the Integration

Install from the Splunkbase Marketplace

  1. Log in to Splunk and search for Sysdig in Splunkbase.

  2. Select Sysdig VM Splunk TA and click Download, agreeing to the required terms and conditions.

    The .tgz file will be downloaded.

  3. In Splunk, click Apps and then Manage Apps from the dropdown.

  4. Click Install App from File.

  5. Click Choose File and select the .tgz file you downloaded from Splunkbase. If you are upgrading, select Upgrade app.

    The add-on will be imported. Splunk may need to restart.

  6. From Splunk’s main navigation menu, select Settings and then Indexes from the dropdown. Click on New Index.

  7. Enter an Index name, for example, app_sysdig, and ensure App is set to Sysdig VM Splunk TA.

  8. Click Save.

    Sysdig VM Splunk TA should now be available under Apps in Splunk.

  9. Select Apps > Sysdig VM Splunk TA > Inputs > Create New Input.

  10. Specify the following:

  • Interval: The input frequency. Since it pulls a lot of data, Sysdig recommends using 86400 seconds (once per day).

  • Index: Enter the Index name you chose earlier. For example, app_sysdig.

  • Sysdig Secure Token: Add the access key mentioned in the Prerequisites.

  • NVD API Key: Provide a NVD API Key to retrieve vulnerability descriptions.

  • Sysdig Secure URL: Enter your Sysdig Secure URL based on your region (must include https://).

    Examples:

    • https://secure.sysdig.com
    • https://us2.app.sysdig.com
    • https://eu1.app.sysdig.com

  • Vulnerability details: Select the type of vulnerability details to include in the events. Available values:

    • package_data: Package data
    • nvd_data: NVD Data
    • vuln_description: Vulnerability Description, fetched from NVD

  1. Click Add.

View the Splunk events by entering index="app_sysdig" in the search bar.