Webhook Splunk CII Integration

2025.07.28

Overview

To establish an integration between Splunk and Cisco Identity Intelligence, please refer to the setup guide section in this document. This integration method, the Splunk HTTP Event Collector (HEC), is utilized to receive event data in real-time, making it suitable for streaming event data directly from Cisco Identity Intelligence to Splunk. Prior to implementation, it is important to construct the appropriate HEC URL and ensure robust authentication and endpoint configuration.

Prerequisites

Before you begin, please ensure you have the following:

  1. Administrative access to your Cisco Identity Intelligence

  2. Administrative access to your Splunk Enterprise or Splunk Cloud (Minimum Cisco Security Cloud version 3.0.0, Splunk Enterprise & Splunk Cloud 9.4, 9.3, 9.2, 9.1)

  3. The Cisco Security Cloud application installed from Splunkbase

  4. Appropriate permissions to configure a Splunk HTTP Event Collector (HEC)

Setup Guide

  1. Login to your Splunk Enterprise or Splunk Cloud instance and select Cisco Security Cloud from the Apps section

  2. Under Cisco Products section go to Cisco Identity Intelligence and click Configure Application

  3. To get the HTTP Event Collector parameters, follow the instructions under the Set up Guide in the Splunk app for CII section.

CII API Credentials

You will need API credentials from CII to complete the setup. To generate Cisco Identity Intelligence API credentials, follow below steps

  1. Sign in to Cisco Identity Intelligence

  2. Go to the Integrations tab and click Add Integration

  3. Scroll down and click Add API Client

  4. Provide a Name and Description

  5. Click Save and generate credentials

  6. Once saved, click Copy all to copy the credentials to a secure location for use in the Splunk app.

  7. Go back to Splunk and paste the copied credentials under the Cisco Identity Intelligence API Credentials section

  8. Once API credentials are entered, the next step is to select the connection method. Select Webhook as the connection method from the drop down.

  9. Next, enter the Splunk HTTP Event Collector (HEC) URL. This URL will handle incoming events from Cisco Identity Intelligence. Please ensure that the URL is correct and properly formatted. Once confirmed, click Save.

Troubleshooting

Required Permissions: Ensure you have sc_admin or equivalent permissions in Splunk.

Part 1: Basic HEC Setup and Direct curl Test

This checks if your Splunk HEC is configured and listening.

Enable and Configure HTTP Event Collector (HEC) in Splunk

  1. Navigate to Settings > Data Inputs.

  2. Under "Local Inputs", click on HTTP Event Collector.

  3. If HEC is not enabled, click Global Settings in the top right.

    1. Toggle All Tokens to "Enabled".

    2. Optionally, set a Source type and Default index for all HEC inputs.

    3. Click Save.

  4. Back on the HTTP Event Collector page, click New Token to create a new HEC token.

  5. Give your token a Name (e.g., HEC_Test_Token).

  6. (Optional) Set Source type, Input settings (e.g., index, host field value). For a basic test, default settings are often fine.

  7. Click Review, then Submit.

  8. After the token is created, Splunk will display the Token Value. Copy Token Value.

Construct Your HEC Endpoint URL

  1. The HEC endpoint URL typically follows this format: https://<your-splunk-host>:8088/services/collector/event

  2. Replace <your-splunk-host> with the hostname or IP address of your Splunk instance.

  3. The default HEC port is 8088. Ensure this port is open on your Splunk server and accessible from where you are running the curl command.

  4. For example, if your Splunk host is splunk.example.com, your URL would be https://splunk.example.com:8088/services/collector/raw

Send a Test Event using curl

  1. Open a terminal or command prompt on a machine that has network access to your Splunk instance.

  2. Use the following curl command, replacing {Token Value} and {HEC URL} with your specific details: curl -k -H "Authorization: Splunk {Token Value}" -d '{"event": "Hello, Splunk HEC Test!"}' {HEC URL}

  3. URI Formats for Splunk Cloud Platform:

    1. Standard URI format for Splunk Cloud Platform free trials: https://http-inputs-example.splunkcloud.com:8088/services/collector/raw

    2. Standard URI format for Splunk Cloud Platform: https://http-inputs-example.splunkcloud.com:443/services/collector/raw

    3. Standard URI format for Splunk Cloud Platform on Google Cloud: https://http-inputs.example.splunkcloud.com:443/services/collector/raw

    4. Standard URI format for Splunk Cloud Fedramp Moderate on AWS Govcloud: https://http-inputs.example.splunkcloudgc.com:443/services/collector/raw

  4. URI Formats for Splunk Enterprise: Standard URI format: https://splunkexample.link:8088/services/collector/raw

Example:

Verify Success

  1. A successful response is {"text":"Success","code":0}.

  2. Search in Splunk for the event: index=<your_index> "Hello, Splunk HEC Test!"

Part 2: Troubleshooting External System Integration

  1. If the Splunk input was successfully created and the webhook on Cisco Identity Intelligence (CII) was also created, you can proceed with a connectivity test.

  2. However, if no data appears in Splunk after the test, a potential issue could be associated with IP allowlisting.

  3. To enable incoming data, Splunk may require the inclusion of the CII IP address within its allowlist (whitelist).

  4. In some cases, adding a broad range such as 0.0.0.0/0 to the allowlist might be considered temporarily for testing, but this is not recommended for production due to security risks.

  5. To secure and for successful data ingestion, it is advisable to obtain the precise CII cloud IP addresses or ranges from Cisco and include only those in the Splunk allowlist. (https://docs.oort.io/integrations/webhooks). Specifically, please add the AWS IP ranges for your specific Duo-CII region (e.g. Europe) as outlined here.

PreviousSplunkNextAWS S3 Splunk CII Integration

Last updated