To incorporate Lacework events into your existing workflow, Lacework can be configured to forward alerts to Splunk using an HTTP Event Collector.
Lacework forwards events to Splunk using a destination port of either 80 or 443. If you have Splunk configured to use another port, for example, 8088, you will need to setup port forwarding.
To create a Splunk HTTP Event Collector:
- Navigate to Settings > Data Inputs
- In the HTTP Event Collector row, click [+ Add new]
- On the Select Source page:
- Provide a name for your token
- Optionally, override the default source name and provide a description. [For example, "lacework_events" and "HEC for Lacework Events"]
- Optionally, specify an Output Group
- Click the [Next] button on the top of the page
- On the Input Settings page
- Specify a Source type or leave as automatic. Lacework sends the data as json, so you can explicitly choose _json under Structured.
- Choose an App Context as applicable to your Splunk design and use
- Choose Indexes as applicable to your Splunk design and use
- Click the [Review] button on the top of the page
- On the Review page
- Review your inputs and click the [Submit] button on the top of the page
You should see the message Token has been created successfully. You will need the token, index, source and resolvable hostname or IP address of your Splunk instance.
From the Lacework UI, select Integrations > Splunk
- Click the [+ Add Integration] button
- Provide a name for your integration
- Enter your Splunk HEC token
- Optionally, enter a Splunk channel
- Enter the resolvable hostname or IP address of your Splunk instance
- Enter the destination port to which you will be forwarding events [80 or 443]
- Check the SSL box as appropriate
- Enter your Splunk index
- Enter your Splunk source
- Select an alert severity level - Lacework will only forward events that meet or exceed the chosen threshold
- Click the [Save] button
To test your Integration, click the [Test Integration] button. You should see a positive affirmation of the test and a single event sent to Splunk with the field-value pair of 'host :login.lacework.net'. You will now begin to receive Lacework event notifications in Splunk.