Views:

View all your XDR data directly on the Splunk dashboard.

Note
Note
  • The following instructions are based on the Splunk Server Enterprise 9.0.0, 9.1.0, and 9.2.0 releases. The Splunk settings might be different if you are using a different version of Splunk. Refer to the Splunk documentation for specific information related to your version.
  • If you are installing the Splunk app as an upgrade, the app automatically applies any valid settings from the old version and disables the Splunk Data inputs settings.

Procedure

  1. In the TrendAI Vision One™ console, obtain the Endpoint URL and the Authentication token.
    1. Go to Workflow and AutomationThird-Party Integrations.
    2. Locate and click the Splunk XDR card.
    3. Use the copy icons (copyicon=GUID-BD854E6D-5EB9-4181-BE68-D5F743237995=1=en-us=Low.jpg) to obtain the following information:
      • Endpoint URL
      • Authentication token
    4. (Optional) If the authentication token is expired or does not exist, click Generate and enter the required information in the API Key Settings window to add a new token.
  2. Search for and install the Trend Vision One for Splunk (XDR) app from Splunkbase.
  3. Once the app is installed, go to AppsTrend Vision One for Splunk (XDR) on the Spunk console.
    SplunkConsoleAppsTrendMicroVisionOneEntry=GUID-C781FCFF-0A9B-42BA-AAFE-5FA84786EDA7=1=en-us=Low.png
  4. Configure the account settings.
    1. Go to ConfigurationAccounts.
    2. Use the edit icon (SplunkConsoleEdit=1515285c-3d50-4b30-9e72-7a6be45e399d.png) next to each account to modify its settings.
    3. Paste the Endpoint URL and Authentication token obtained from the TrendAI Vision One™ console. If you have multiple authentication tokens, separate them with semicolons.
    4. Click Update.
    5. (Optional) Go to ConfigurationProxy and enter the following information as necessary:
      • HTTPS Proxy Address
      • Retry Interval
    6. Click Save.
  5. (Optional) Add a new account.
    1. Click Add.
    2. Enter the Account name and paste the Endpoint URL and Authentication token from the TrendAI Vision One™ console.
    3. Click Add.
  6. Configure the data inputs used by Splunk.
    1. Go to Inputs in the menu bar.
    2. Under Status, use the toggle to enable or disable each data input.
    3. Use the edit icon (SplunkConsoleEdit=1515285c-3d50-4b30-9e72-7a6be45e399d.png) to configure settings for the data input.
    4. Enter the following information for the data input:
      • Name
      • Interval
      • Index
      • Global account
    5. Click Update.
  7. (Optional) Add a new data input.
    1. Click Create New Input.
    2. Select a data input from the following:
      • TrendAI Vision One™ Workbench Alerts
      • TrendAI Vision One™ Observed Attack Techniques
      • TrendAI Vision One™ Audit Logs
      • TrendAI Vision One™ Detection
    3. Enter the Name, Interval, and Index, and select the Global account for the data input.
      Note
      Note
      The Observed Attack Techniques data input type additionally requires you to select a Risk level, and synchronizes all events with a risk level equal to or higher than the level specified. Selecting undefined, info, or low might cause a high volume of data transfer.
    4. Click Add.
    After successfully installing the Splunk app, Splunk begins collecting XDR data from TrendAI Vision One™. Splunk can only collect XDR data generated after connecting to TrendAI Vision One™. You might need to allow some time before new XDR data starts to appear.
    Note
    Note
    The Detection screen in the Splunk console provides only a limited set of detection data fields from XDR data. To access more detailed detection information, go to the Search screen and run a query using supported Splunk syntax, such as source="trendmicro_v1_detection"|table _time,_raw. This allows you to view the full detections data available from TrendAI Vision One™.