Splunk Integration

Set up an integration to allow Sysdig runtime vulnerabilities to be fetched, triaged, and orchestrated by Splunk, using a Splunk Technical Add-On.

The Sysdig Vulnerability Management APIs have been extended to an official Splunk Technical Add-on (TA) that can be utilized from the Splunk app store, https://splunkbase.splunk.com/.

The Splunk TA enables the extraction of all Runtime (Workloads and Host) scan results. This allows Security Operation Centers to ingest vulnerability information produced by Sysdig into Splunk natively.

The Splunk TA for Sysdig Vulnerabilities is distinct from the one used for Event Forwarding.

Prerequisites

  • Splunk Enterprise 9.1.1+
  • Sysdig Saas Platform with Vulnerability Management Scanning in Runtime (Workload and Host)
  • API access key with Vulnerability Management Scan Results authorization

Configure the Integration

Install from the Splunkbase Marketplace

  1. Log in to Splunk and search for Sysdig Vulnerabilities in Splunkbase.

  2. Select Sysdig Vulnerabilities and click Download, agreeing to the required terms and conditions.

    The .tgz file will be downloaded.

  3. In Splunk, click Apps and then Manage Apps from the dropdown.

  4. Click Install App from File.

  5. Click Choose File and select the .tgz file you downloaded from Splunkbase. If you are upgrading, check the box beside Upgrade app.

    The add-on will be imported. Splunk may need to restart.

  6. From Splunk’s main navigation menu, select Settings and then Indexes from the dropdown. Click on New Index.

  7. Enter an Index name, for example, ‘sysdig_vulnerabilties’, and ensure App is set to Sysdig Vulnerabilities.

  8. Click Save.

Sysdig Vulnerabilities should now be available under Apps in Splunk.

  1. Select Apps > Sysdig Vulnerabilities > Inputs > Create New Input.
  2. Fill out the form. The Index field should contain the Index name you chose earlier (‘sysdig_vulnerabilities’ in this example). Once it is filled out, click Add.

Splunk events will now be visible if you enter index="sydig_vulnerabilties" in the search bar. Replace sysdig_vulnerabilities with the name you chose.