Splunk Integration

Forward detection events to Splunk for centralized security monitoring, threat hunting, and SIEM dashboards.

Prerequisites

Splunk Cloud or Splunk Enterprise
HTTP Event Collector (HEC) enabled
HEC token with write access

Getting Splunk Credentials

Enable HTTP Event Collector

Log into Splunk Web
Go to Settings → Data Inputs
Click HTTP Event Collector
Click Global Settings
Set All Tokens to Enabled
Click Save

Create HEC Token

In HTTP Event Collector, click New Token
Enter name: “WebDecoy Integration”
Click Next
Select Input Settings:
- Source type: _json
- App context: search
- Index: Select your security index
Click Review → Submit
Copy the generated token

Configuring Integration

Go to Integrations → Splunk
Click Add Splunk Integration
Enter:

Field Description
HEC URL Your Splunk HEC endpoint
HEC Token HTTP Event Collector token
Index Target index (optional)
Source Event source identifier
Configure event forwarding:

Setting Description
Forward all detections Every detection as an event
Forward high risk Only critical detections
Include raw data Include full detection payload
Click Connect

Field	Description
HEC URL	Your Splunk HEC endpoint
HEC Token	HTTP Event Collector token
Index	Target index (optional)
Source	Event source identifier

Setting	Description
Forward all detections	Every detection as an event
Forward high risk	Only critical detections
Include raw data	Include full detection payload

HEC URL Format

Deployment	URL Format
Splunk Cloud	`https://http-inputs-<stack>.splunkcloud.com:443`
Splunk Enterprise	`https://<your-server>:8088`
Splunk Cloud Classic	`https://input-<stack>.cloud.splunk.com:443`

Event Format

Detections are sent as JSON events to Splunk:

{
  "time": 1705315800,
  "host": "webdecoy",
  "source": "webdecoy",
  "sourcetype": "_json",
  "index": "security",
  "event": {
    "detection_id": "det_abc123",
    "detection_type": "decoy_link",
    "ip_address": "192.168.1.100",
    "threat_score": 85,
    "threat_level": "critical",
    "mitre_tactic": "reconnaissance",
    "mitre_technique": "T1595",
    "path": "/admin/backup.zip",
    "user_agent": "Mozilla/5.0...",
    "country": "US",
    "city": "New York",
    "is_bot": true,
    "is_vpn": false,
    "property_id": "prop_def456",
    "property_name": "production_site",
    "timestamp": "2025-01-15T10:30:00Z"
  }
}

Event Fields

Field	Type	Description
`detection_id`	string	Unique detection identifier
`detection_type`	string	`decoy_link`, `bot_scanner`, `endpoint`
`ip_address`	string	Source IP address
`threat_score`	number	Risk score (0-100)
`threat_level`	string	`minimal`, `low`, `medium`, `high`, `critical`
`mitre_tactic`	string	MITRE ATT&CK tactic
`mitre_technique`	string	MITRE technique ID
`path`	string	Requested path
`user_agent`	string	Browser/client user agent
`country`	string	GeoIP country code
`city`	string	GeoIP city
`is_bot`	boolean	Bot detection result
`is_vpn`	boolean	VPN/proxy detected
`property_id`	string	Property identifier
`property_name`	string	Property display name
`timestamp`	string	ISO 8601 timestamp

Splunk Searches

Basic Detection Search

index=security source=webdecoy
| stats count by threat_level

High-Risk Detections

index=security source=webdecoy threat_level IN ("high", "critical")
| table _time, ip_address, path, threat_score, mitre_tactic
| sort - threat_score

Detection Trends

index=security source=webdecoy
| timechart span=1h count by detection_type

Top Attacking IPs

index=security source=webdecoy
| stats count, avg(threat_score) as avg_score by ip_address
| sort - count
| head 20

Bot Activity

index=security source=webdecoy is_bot=true
| stats count by ip_address, user_agent
| sort - count

Geographic Distribution

index=security source=webdecoy
| iplocation ip_address
| geostats count by Country

MITRE ATT&CK Analysis

index=security source=webdecoy
| stats count by mitre_tactic, mitre_technique
| sort - count

Building Dashboards

Recommended Panels

Detection Overview:

index=security source=webdecoy
| timechart span=1h count by threat_level

Threat Level Distribution:

index=security source=webdecoy
| stats count by threat_level
| sort - count

Top Decoy Paths:

index=security source=webdecoy detection_type=decoy_link
| stats count by path
| sort - count
| head 10

Real-Time Detection Feed:

index=security source=webdecoy
| table _time, ip_address, threat_level, path, threat_score
| sort - _time
| head 50

Sample Dashboard XML

<dashboard>
  <label>WebDecoy Security Dashboard</label>
  <row>
    <panel>
      <title>Detections Over Time</title>
      <chart>
        <search>
          <query>index=security source=webdecoy | timechart span=1h count by threat_level</query>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
      </chart>
    </panel>
    <panel>
      <title>Threat Level Breakdown</title>
      <chart>
        <search>
          <query>index=security source=webdecoy | stats count by threat_level</query>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Top Attacking IPs</title>
      <table>
        <search>
          <query>index=security source=webdecoy | stats count, max(threat_score) as max_score by ip_address | sort - count | head 10</query>
        </search>
      </table>
    </panel>
    <panel>
      <title>MITRE ATT&CK Tactics</title>
      <chart>
        <search>
          <query>index=security source=webdecoy | stats count by mitre_tactic | sort - count</query>
        </search>
        <option name="charting.chart">bar</option>
      </chart>
    </panel>
  </row>
</dashboard>

Alerting

High-Risk Detection Alert

Create a saved search with alerting:

index=security source=webdecoy threat_level=critical
| stats count
| where count > 0

Alert settings:

Schedule: Every 5 minutes
Trigger: When number of results > 0
Action: Send email / Slack / PagerDuty

Detection Spike Alert

index=security source=webdecoy
| timechart span=5m count as detection_count
| streamstats window=12 avg(detection_count) as avg_count stdev(detection_count) as stdev_count
| eval threshold = avg_count + (3 * stdev_count)
| where detection_count > threshold

Bot Attack Alert

index=security source=webdecoy is_bot=true
| stats dc(ip_address) as unique_bots count as total_requests by property_name
| where total_requests > 100

New Attacker Alert

index=security source=webdecoy threat_level IN ("high", "critical")
| stats earliest(_time) as first_seen count by ip_address
| where first_seen > relative_time(now(), "-1h")

Correlation Rules

Correlate with Other Security Data

index=security (source=webdecoy OR source=firewall OR source=ids)
| eval event_source=source
| stats count by ip_address, event_source
| xyseries ip_address event_source count

Multi-Stage Attack Detection

index=security source=webdecoy
| transaction ip_address maxspan=1h
| where eventcount > 3
| table ip_address, eventcount, duration, path

Enterprise Security Integration

If using Splunk Enterprise Security (ES):

Notable Event Creation

Configure WebDecoy events to create ES notable events:

Go to Configure → Content → Content Management
Create new correlation search

Use search:

index=security source=webdecoy threat_level=critical
| eval src=ip_address, dest=property_name

Enable adaptive response action: Create Notable Event

Threat Intelligence

Integrate WebDecoy IPs with threat intel:

index=security source=webdecoy
| lookup threat_intel ip AS ip_address OUTPUT threat_category
| where isnotnull(threat_category)

Best Practices

Do’s

✅ Use a dedicated security index
✅ Set appropriate retention policies
✅ Create role-based access to WebDecoy data
✅ Build dashboards for security operations
✅ Set up alerts for critical detections
✅ Correlate with other security data

Don’ts

❌ Forward to main index (use security index)
❌ Ignore index sizing for high-volume events
❌ Skip HEC token rotation
❌ Use admin credentials for HEC token

Troubleshooting

Events Not Appearing

Verify HEC URL is correct
Check HEC token is valid and enabled

Test HEC endpoint directly:

curl -k "https://<hec-url>/services/collector" \
  -H "Authorization: Splunk <token>" \
  -d '{"event": "test"}'

Check target index exists and has capacity
Verify source type settings

Authentication Errors

Regenerate HEC token
Verify token hasn’t been disabled
Check token permissions include target index
Ensure Global Settings has tokens enabled

Performance Issues

Enable indexer acknowledgment for reliability
Consider using multiple HEC endpoints for load balancing
Batch events if high volume
Monitor HEC queue size

SSL Certificate Errors

Verify certificate chain is complete
For self-signed certs, add CA to trust store
Use correct port (8088 for Enterprise, 443 for Cloud)

Next Steps

CrowdStrike - Falcon LogScale integration
Datadog - Alternative SIEM option
Overview - All integrations