Splunk Integration

Set up an integration to allow Sysdig runtime vulnerabilities to be fetched, triaged, and orchestrated by Splunk, using a Splunk Technical Add-On.

The Sysdig Vulnerability Management APIs have been extended to an official Splunk Technical Add-on (TA) that can be used from the Splunk app store, Splunkbase. Find the Sysdig VM Splunk TA on Splunkbase.

The Splunk TA enables you to extract all Runtime (Workloads and Host) scan results. This allows Security Operation Centers to ingest vulnerability information produced by Sysdig into Splunk natively.

The Splunk TA for Sysdig Vulnerabilities is distinct from the one used for Event Forwarding. See Forwarding to Splunk.

Prerequisites

  • Splunk Enterprise 9.1.1+
  • Sysdig Saas Platform with Vulnerability Management Scanning in Runtime (Workload and Host)
  • Secure API token with Vulnerability Management Scan Results authorization. See Service Accounts.

Configure the Integration

Install from the Splunkbase Marketplace

  1. Log in to Splunk and search for Sysdig in Splunkbase.

  2. Select Sysdig VM Splunk TA and click Download, agreeing to the required terms and conditions.

    The .tgz file will be downloaded.

  3. In Splunk, click Apps and then Manage Apps from the dropdown.

  4. Click Install App from File.

  5. Click Choose File and select the .tgz file you downloaded from Splunkbase. If you are upgrading, check the box beside Upgrade app.

    The add-on will be imported. Splunk may need to restart.

  6. From Splunk’s main navigation menu, select Settings and then Indexes from the dropdown. Click on New Index.

  7. Enter an Index name, for example, “app_sysdig”, and ensure App is set to Sysdig VM Splunk TA.

  8. Click Save.

    Sysdig VM Splunk TA should now be available under Apps in Splunk.

  9. Select Apps > Sysdig VM Splunk TA > Inputs > Create New Input.

  10. Fill out the form:

  • Interval: The input frequency. Since it pulls a lot of data, we recommend 86400 seconds, or once per day.
  • Index: Enter the Index name you chose earlier (“app_sysdig” in this example).
  • Sysdig Secure Token: Add the access key mentioned in the Prerequisites.

  1. Once it is filled out, click Add.

Splunk events will now be visible if you enter index="sydig_vulnerabilties" in the search bar. Replace sysdig_vulnerabilities with the name you chose.