# Webhook Splunk Integration
## Overview
To establish an integration between Splunk and Cisco Identity Intelligence, please refer to the setup guide section in this document. This integration method, the Splunk HTTP Event Collector (HEC), is utilized to receive event data in real-time, making it suitable for streaming event data directly from Cisco Identity Intelligence to Splunk. Prior to implementation, it is important to construct the appropriate HEC URL and ensure robust authentication and endpoint configuration.
### Prerequisites
Before you begin, please ensure you have the following:
1. Administrative access to your **Cisco Identity Intelligence**
2. Administrative access to your **Splunk Enterprise** or **Splunk Cloud** (Minimum Cisco Security Cloud version 3.0.0, Splunk Enterprise & Splunk Cloud 9.4, 9.3, 9.2, 9.1)
3. The [Cisco Security Cloud](https://splunkbase.splunk.com/app/7404) application installed from Splunkbase
4. Appropriate permissions to configure a Splunk HTTP Event Collector (HEC)
## Setup Guide
1. Login to your Splunk Enterprise or Splunk Cloud instance and select Cisco Security Cloud from the Apps section
2. Under Cisco Products section go to Cisco Identity Intelligence and click Configure Application
3. To get the **HTTP Event Collector parameters,** follow the instructions under the **Set up Guide** in the Splunk app for Identity Intelligence section.
#### Identity Intelligence API Credentials
You will need **API credentials** from Identity Intelligence to complete the setup. To generate Identity Intelligence API credentials, follow below steps
4. Sign in to Cisco Identity Intelligence
5. Go to the Integrations tab and click Add Integration
6. Scroll down and click Add API Client
7. Provide a Name and Description
8. Click **Save and generate credentials**
9. Once saved, click **Copy all** to copy the credentials to a secure location for use in the Splunk app.
10. Go back to Splunk and paste the copied credentials under the Cisco Identity Intelligence API Credentials section\
\ Note: Starting September 2025, Identity Intelligence no longer provides the audience value when creating an API client. However, the audience field is still required in the Splunk application. Until the application is updated, please use the default audience value [`https://api.oort.io`](https://api.oort.io/) for this field. We will update this documentation once the application no longer requires an audience value.
11. Once API credentials are entered, the next step is to select the connection method. Select **Webhook** as the connection method from the drop down.
12. Next, enter the Splunk HTTP Event Collector (HEC) URL. This URL will handle incoming events from Cisco Identity Intelligence. Please ensure that the URL is correct and properly formatted. Once confirmed, click **Save**.
## Troubleshooting
Required Permissions: Ensure you have sc\_admin or equivalent permissions in Splunk.
### Part 1: Basic HEC Setup and Direct curl Test
This checks if your Splunk HEC is configured and listening.
#### Enable and Configure HTTP Event Collector (HEC) in Splunk
1. Navigate to Settings > Data Inputs.
2. Under "Local Inputs", click on HTTP Event Collector.
3. If HEC is not enabled, click Global Settings in the top right.
1. Toggle All Tokens to "Enabled".
2. Optionally, set a Source type and Default index for all HEC inputs.
3. Click Save.
4. Back on the HTTP Event Collector page, click New Token to create a new HEC token.
5. Give your token a Name (e.g., HEC\_Test\_Token).
6. (Optional) Set Source type, Input settings (e.g., index, host field value). For a basic test, default settings are often fine.
7. Click Review, then Submit.
8. After the token is created, Splunk will display the Token Value. Copy Token Value.
#### Construct Your HEC Endpoint URL
1. The HEC endpoint URL typically follows this format: https\://\:8088/services/collector/event
2. Replace \ with the hostname or IP address of your Splunk instance.
3. The default HEC port is 8088. Ensure this port is open on your Splunk server and accessible from where you are running the curl command.
4. For example, if your Splunk host is splunk.example.com, your URL would be
#### Send a Test Event using curl
1. Open a terminal or command prompt on a machine that has network access to your Splunk instance.
2. Use the following curl command, replacing {Token Value} and {HEC URL} with your specific details:\
\
`curl -k -H "Authorization: Splunk {Token Value}" -d '{"event": "Hello, Splunk HEC Test!"}' {HEC URL}`
3. URI Formats for Splunk Cloud Platform:
1. Standard URI format for Splunk Cloud Platform free trials:\
;
2. Standard URI format for Splunk Cloud Platform: \
;
3. Standard URI format for Splunk Cloud Platform on Google Cloud: \
;
4. Standard URI format for Splunk Cloud Fedramp Moderate on AWS Govcloud: \
4. URI Formats for Splunk Enterprise:\
Standard URI format: \
;
Example:
#### Verify Success
1. A successful response is {"text":"Success","code":0}.
2. Search in Splunk for the event: index=\ "Hello, Splunk HEC Test!"
### Part 2: Troubleshooting External System Integration
1. If the Splunk input was successfully created and the webhook on Cisco Identity Intelligence was also created, you can proceed with a connectivity test.
2. However, if no data appears in Splunk after the test, a potential issue could be associated with IP allowlisting.
3. To enable incoming data, Splunk may require the inclusion of the Identity Intelligence IP address within its allowlist (whitelist).
4. In some cases, adding a broad range such as 0.0.0.0/0 to the allowlist might be considered temporarily for testing, but this is not recommended for production due to security risks.
5. To secure and for successful data ingestion, it is advisable to obtain the precise Identity Intelligence cloud IP addresses or ranges from Cisco and include only those in the Splunk allowlist. (). Specifically, please add the AWS IP ranges for your specific Duo-Identity Intelligence region (e.g. Europe) as outlined [here](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html).
