You can configure Lacework to forward alerts to Splunk using an HTTP Event Collector.
Lacework forwards alerts to Splunk using a destination port of either 80 or 443. If Splunk is configured to use another port, for example, 8088, you must set up port forwarding.
Create a Splunk HTTP Event Collector
- Navigate to Settings > Data Inputs.
- In the HTTP Event Collector row, click + Add new.
- On the Select Source page:
- Provide a name for your token.
- Optionally, override the default source name and provide a description. For example, "lacework_alerts" and "HEC for Lacework Alerts"
- Optionally specify an Output Group.
- At the top of the page, click Next.
- On the Input Settings page:
- Specify a Source type or leave as automatic. Lacework sends the data as json, so you can explicitly choose _json under Structured.
- Choose an App Context as applicable to your Splunk design and use.
- Choose Indexes as applicable to your Splunk design and use.
- At the top of the page, click Review.
- On the Review page, review your inputs, and click Submit at the top of the page.
You should see the message Token has been created successfully. You will need the token, index, source and resolvable hostname or IP address of your Splunk instance.
Create a Lacework Alert Channel
After you create your Splunk HTTP event collector, return to the Lacework Console and complete the following steps:
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Navigate to Settings > Alert Routing > Alert Channels.
- Click + Create New.
- Select Splunk.
- Name the channel.
- Enter your Splunk HEC token.
- Optionally enter a Splunk channel.
- Enter the resolvable hostname or IP address of your Splunk instance.
- Enter the destination port for forwarding events [80 or 443].
- Check the SSL box if appropriate.
- Enter your Splunk index.
- Enter your Splunk source.
- Click Save.
- Click Alert Rules and configure your required alert routing details/options by leveraging the alert channel you created.
To test your channel, click Test. You should see a positive affirmation of the test and a single alert sent to Splunk with the field-value pair of 'host :login.lacework.net'. You should start to receive Lacework alert notifications in Splunk.