Skip to main content

Setting Up Evidence Source: Splunk

Chelsie
Updated

This feature is coming soon.

Automated Evidence Collection (AEC) now supports pulling alert and triggered alert data from Splunk (both Splunk Enterprise and Splunk Cloud) on demand or on a recurring schedule, helping you centralize continuous monitoring evidence in Risk Cloud.

Prerequisites

To enable Splunk source for AEC, please reach out to your account team or LogicGate support.

 

System Requirements

To connect Splunk to LogicGate for Automated Evidence Collection, ensure the following requirements are met:

1. Splunk Environment

  • A Splunk Enterprise or Splunk Cloud instance is required.

  • Splunk Cloud Trial accounts are not supported for API connectivity.

  • The connector supports both Basic Authentication and Token-based Authentication.

  • The account used for API connectivity must have the admin role (or equivalent custom role) to allow retrieval of alerts across all apps and users.

  • Follow the Managing user roles guide in Splunk for details on configuring roles.

2. Authentication Requirements

Token-based Authentication

  • A valid Splunk authentication token is required.

  • Follow the Splunk Security Manual to create authentication tokens.

Basic Authentication

  • A valid Splunk username (e.g., admin) and password are required.

  • See the Splunk Admin Manual for user and role setup.

3. API Access

  • You must know your Splunk Management API Base URL:

    • Example (Enterprise): https://<your-hostname>:8089

    • Example (Cloud): https://<deployment-name>.splunkcloud.com:8089

  • For Splunk Cloud, you must:

    • Use Splunk Admin Config Service (ACS) to whitelist inbound traffic from Workato IPs.

    • Allow outbound traffic to Workato Webhook Endpoint IPs.

4. TLS / Certificates

If your Splunk server uses a self-signed certificate or custom root CA, provide the certificate in PEM format.

 

Connect to Splunk

Follow these steps to connect your Splunk source to Risk Cloud for automated evidence collection:

  1. Navigate to Compliance > Evidence Sources.

  2. Scroll to the Other Sources section and locate Splunk Source.

  3. Click gear icon to configure. Authenticate using one of the supported methods (Token-based or Basic Authentication).

    • Please note: Risk Cloud only requires read-only access to Splunk data

  4. Once setup is complete, the connected Splunk source will appear with an Enabled status.

  5. Use the gear icon to disconnect or reconnect the integration at any time.

 

Set up AEC using the Splunk Source

Once your Splunk source is connected and enabled, follow the steps in Create and Configure AEC Automations. The evidence query options support today are:

  • Get List of Enabled and Tracked Alerts – Collects Splunk alert configurations.

  • Get List of Active Triggered Alerts – Collects instances of alerts triggered in Splunk.

 

✅ Congratulations! You’ve successfully set up Automated Evidence Collection using Splunk!

Related articles