Splunk App Integration
Coming soon!
The Flare Splunk app delivers a Splunk Enterprise on-premises solution that provides full access to Flare event data within Splunk. Users can now:
- Access Full Event Details: Go beyond alert summaries and directly dive into detailed event information in Splunk.
- Enhance Security Workflows: Use Flare data to perform correlations, enrich investigations, and automate responses within Splunk, all tailored to their environment.
- Customize and Control: Meet compliance and operational requirements with an on-premises app designed to fit enterprise needs, allowing for high control over data access and usage.
The best way to install the Flare Splunk app within your Splunk Enterprise instance is done in one of two ways.
- Log into your Splunk Enterprise instance.
- From the home screen, click on the Apps dropdown and then click on "Find More Apps".
- Search for "Flare".
- Click the install button.
It may be helpful to add additional filters to the search.
Under the CATEGORY heading, select:
- Security, Fraud & Compliance
- Threat Intel
Under the APP TYPE heading, select
- App
- Log into Splunkbase.
- In the search bar, search for "Flare".
- Click the Download button to download the file.
- Log into your Splunk Enterprise instance.
- From the home screen, click on the Apps dropdown and then click on "Manage Apps".
- Click on the "Install app from file" button.
- Click the "Choose file" button and select the file you downloaded in step 4.
- if this is not your first installation, click the "Upgrade App" checkbox.
- Click the "Upload" button
- Click the "Set up now" button and go though the configuration steps listed below.
Once the app installation is complete, you will be brought to the application configuration screen. If you are not immediately brought to the Flare app configuration screen, navigate to the Splunk Enterprise home screen, and in the left column under Apps, you will see the Flare app. Click on that, and you will be brought to the configuration screen. If you are upgrading the app, you will not need to go through this step again.
Get or Create Your API Key
Log into https://app.flare.io and go to your Profile page. Look for the "API Keys" heading. Create your API key, and use the copy to clipboard button on the right to copy it.
Configure Flare Splunk App With Your API Key
Select Your Tenant
Your organization may have more than one tenant. Select the one from which you would like to import events.
That's it! 🎉
Your Flare Splunk app should now be pulling in events from Flare.
Note in the image above index="flare". This index is created by the Flare app and this is where all Flare event data will be stored. If you have a need to change this, see the instructions below.
If you ever need to switch the tenant from which you want to pull events or change your API key, you can do this from the Configuration tab.
Should a need arise to change the index that Flare data is ingested into, follow the steps below.
- In the top right nav, click the "Settings" dropdown.
- Click on "Data inputs".
- Click on "Scripts".
- Use the filter to search for "Flare".
- You should see "$SPLUNK_HOME/etc/apps/flare/bin/cron_job_ingest_events.py". Click on that.
- In the "Set sourcetype" dropdown, select "Manual" and ensure that "Source type" is set to "flare_json".
- Check the "More settings" checkbox.
- Under the "Index" section you'll see "Set the destination index for this source". You can change the index to whatever you want from this list. However, it's recommended that you use either "flare" or "main". Otherwise, create a new index of your choosing first and then come back to this section and set it to that index.
Below is an example of how that form should look.
