Splunk

Splunk is a SIEM platform that detects security threats by correlating logs and events across the enterprise. Connecting Splunk forwards alert actions to Radiant Security over a webhook.

Prerequisites

• Admin or Power User access to Splunk

• Splunk Enterprise, Splunk Enterprise Security, or Splunk Cloud

Add the data connector in Radiant Security

1. Sign in to Radiant Security.

2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

3. Search for and select Splunk Webhook, then click Data Feeds.

4. Click Credentials.

5. In the Credential Name field, enter an identifiable name for this credential (e.g., Splunk - Credentials).

6. Under Required Credentials, enter a value in the Connector tag field (e.g., webhook_connector).

7. Click Add Connector.

8. Open the newly created connector. Under Vendor Configuration, copy and save the Webhook URL value. You will need it in the Configure alert actions section.

9. Click Add Connector to save your changes.

Configure the webhook allow list

Configure an allow list in Splunk so that Splunk can post to the Radiant webhook endpoint. The procedure depends on whether you use Splunk Enterprise or Splunk Cloud.

Configure alert actions

1. Sign in to Splunk with an admin account.

2. Navigate to Apps > Search & Reporting > Alerts.

3. For each alert you want to forward to Radiant Security:

   • Click Edit > Edit Alert.

   • Scroll to Trigger Actions.

   • Click Add Actions and select Webhook.

   • In the URL field, enter the Webhook URL you copied from Radiant Security.

4. Click Save.

Verify ingestion

After Splunk begins forwarding, confirm alerts and events are reaching Radiant.

1. In Radiant, navigate to Log Management.

2. Filter by rs_connectorType:"splunk_webhook".

3. Confirm recent alerts and events appear.