Splunk Enterprise Security – Setup Guide
v2.4 • Updated 2 days ago
Connect ThreatLens Core to your Splunk Enterprise Security deployment to enable AI-augmented alert triage and automated enrichment.
Prerequisites
- Admin Role on Splunk Enterprise Security
- Network Access to Splunk REST API (Port 8089)
- HTTPS Enabled on Splunk Instance
1
Create API User
Navigate to Settings → Access Controls → Users. Create a new user with the ess_admin role to ensure ThreatLens Core has access to Notable Events and correlation searches.
Note: Requires Admin Privileges on Splunk Enterprise Security.
Role: ess_admin Capabilities: search, list_inputs, edit_tcp
2
Generate Authentication Token
Navigate to Settings → Tokens → New Token. Create a token for the API user created in Step 1. Set expiration based on your security policy.
Store the token securely—it will only be shown once.
Token Type: Bearer Expiration: 90 days (recommended)
3
Configure ThreatLens Core
Log in to your ThreatLens Core dashboard. Navigate to Settings > Integrations. Select Splunk Enterprise Security and enter the required connection parameters.
Splunk Base URL: https://your-splunk-host:8089 API Token: [Your Generated Token] Index Context: main, notable, threat_intel