Splunk App Integration
The Flare Splunk app delivers a Splunk Enterprise on-premises solution that provides full access to Flare event data within Splunk. Users can now:
- Access Full Event Details: Go beyond alert summaries and directly dive into detailed event information in Splunk.
- Enhance Security Workflows: Use Flare data to perform correlations, enrich investigations, and automate responses within Splunk, all tailored to their environment.
- Customize and Control: Meet compliance and operational requirements with an on-premises app designed to fit enterprise needs, allowing for high control over data access and usage.
The best way to install the Flare Splunk app within your Splunk Enterprise instance is done in one of two ways.
- Log into your Splunk Enterprise instance.
- From the home screen, click on the Apps dropdown and then click on "Find More Apps".
- Search for "Flare".
- Click the install button.
It may be helpful to add additional filters to the search.
Under the CATEGORY heading, select:
- Security, Fraud & Compliance
- Threat Intel
Under the APP TYPE heading, select
- App
- Log into Splunkbase.
- In the search bar, search for "Flare".
- Click the Download button to download the file.
- Log into your Splunk Enterprise instance.
- From the home screen, click on the Apps dropdown and then click on "Manage Apps".
- Click on the "Install app from file" button.
- Click the "Choose file" button and select the file you downloaded in step 4.
- if this is not your first installation, click the "Upgrade App" checkbox.
- Click the "Upload" button
- Click the "Set up now" button and go though the configuration steps listed below.
Once the app installation is complete, you will be brought to the application configuration screen. If you are not immediately brought to the Flare app configuration screen, navigate to the Splunk Enterprise home screen, and in the left column under Apps, you will see the Flare app. Click on that, and you will be brought to the configuration screen. If you are upgrading the app, you will not need to go through this step again.
Get or Create Your API Key
Log into https://app.flare.io and go to your Profile page. Look for the "API Keys" heading. Create your API key, and use the copy to clipboard button on the right to copy it.
Configure Flare Splunk App With Your API Key
Select Your Tenant & Index
Your organization may have more than one tenant. Select the one from which you would like to import events.
The Flare app will use a "flare" index to ingest data into by default. You can switch this to the "main" index or any othe custom index that you create.
Select Additional Filters
By default all Severities and Category filters are selected. If you wish to limit those, you may do so here.
Additionally, by default, the Flare app will ingest full activity data. If you wish to limit that to event metadata only, toggle the "Basic event ingestion" switch on.
Click Submit.
Start Analyzing Flare Data
Click the "View Flare Data" button to go to a prefilled search.
If this is the first time viewing data, it will take about one minute after configuring the app to start seeing data.
That's it! 🎉
Your Flare Splunk app should now be pulling in events from Flare.
Note in the image above index="flare". This index is created by the Flare app and this is where all Flare event data will be stored. If you have a need to change this, see the instructions below.
If you ever need to switch the tenant from which you want to pull events or change your API key, you can do this from the Configuration tab.