INTEGRATIONS

Splunk App Integration

7min

The Flare Splunk app delivers a Splunk Enterprise on-premises solution that provides full access to Flare event data within Splunk. Users can now:

  • Access Full Event Details: Go beyond alert summaries and directly dive into detailed event information in Splunk.
  • Enhance Security Workflows: Use Flare data to perform correlations, enrich investigations, and automate responses within Splunk, all tailored to their environment.
  • Customize and Control: Meet compliance and operational requirements with an on-premises app designed to fit enterprise needs, allowing for high control over data access and usage.

Installation

The best way to install the Flare Splunk app within your Splunk Enterprise instance is done in one of two ways.

1 - Splunk App Marketplace (preferred)

  1. Log into your Splunk Enterprise instance.
  2. From the home screen, click on the Apps dropdown and then click on "Find More Apps".
  3. Search for "Flare".
  4. Click the install button.

It may be helpful to add additional filters to the search.

Under the CATEGORY heading, select:

  • Security, Fraud & Compliance
  • Threat Intel

Under the APP TYPE heading, select

  • App

2 - Download From Splunkbase

  1. In your browser, navigate to https://splunkbase.splunk.com/.
  2. Log into Splunkbase.
  3. In the search bar, search for "Flare".
  4. Click the Download button to download the file.
  5. Log into your Splunk Enterprise instance.
  6. From the home screen, click on the Apps dropdown and then click on "Manage Apps".
  7. Click on the "Install app from file" button.
  8. Click the "Choose file" button and select the file you downloaded in step 4.
    1. if this is not your first installation, click the "Upgrade App" checkbox.
  9. Click the "Upload" button
  10. Click the "Set up now" button and go though the configuration steps listed below.

Configuration

Once the app installation is complete, you will be brought to the application configuration screen. If you are not immediately brought to the Flare app configuration screen, navigate to the Splunk Enterprise home screen, and in the left column under Apps, you will see the Flare app. Click on that, and you will be brought to the configuration screen. If you are upgrading the app, you will not need to go through this step again.

1

Get or Create Your API Key

Log into https://app.flare.io and go to your Profile page. Look for the "API Keys" heading. Create your API key, and use the copy to clipboard button on the right to copy it.

Document image

2

Configure Flare Splunk App With Your API Key

Document image

3

Select Your Tenant & Index

Your organization may have more than one tenant. Select the one from which you would like to import events.

The Flare app will use a "flare" index to ingest data into by default. You can switch this to the "main" index or any othe custom index that you create.

Document image

4

Select Additional Filters

By default all Severities and Category filters are selected. If you wish to limit those, you may do so here.

Additionally, by default, the Flare app will ingest full activity data. If you wish to limit that to event metadata only, toggle the "Basic event ingestion" switch on.

Document image

5

Click Submit.

6

Start Analyzing Flare Data

Click the "View Flare Data" button to go to a prefilled search.

If this is the first time viewing data, it will take about one minute after configuring the app to start seeing data.

Document image


That's it! 🎉

Your Flare Splunk app should now be pulling in events from Flare.

Document image


Note in the image above index="flare". This index is created by the Flare app and this is where all Flare event data will be stored. If you have a need to change this, see the instructions below.

Change Your Tenant

If you ever need to switch the tenant from which you want to pull events or change your API key, you can do this from the Configuration tab.

Document image