Learn about security solutions and standards
Care about security? We do too. Learn what Atlassian does and what you can do too.
The Guard Detect Add-on for Splunk is a powerful third party integration that enables you to index alerts in Splunk. With the add-on, we meet you where you work; alerting you to potential threats in your Atlassian cloud environment.
Get the Guard Detect Add-on for Splunk
The way you install the app will depend on your Splunk deployment:
Install an add-on in a single-instance Splunk Enterprise deployment
Install an add-on in a distributed Splunk Enterprise deployment
Remember to restart your Splunk instance after installing the app to make sure it functions correctly.
You will need to create an API token in your Atlassian Account to connect the Splunk app. How to create an API token in Atlassian Account
To create and add your API token:
Log in to https://id.atlassian.com/manage-profile/security/api-tokens.
Click Create API token.
Enter a name for the token. Make a note of the name, you’ll need this later.
Copy the API token, you’ll need this later.
In Splunk, select Apps > Guard Detect Add-on for Splunk.
Select Add.
Enter a name for the API token configuration.
Enter your email address (for the Atlassian Account used to create the token).
Enter the API token you created earlier.
Select Add to save the configuration.
Next you need to add Guard Detect as an input.
To add an input:
In Splunk, select Apps > Guard Detect Add-on for Splunk.
Select the Input tab.
Select Create new input.
Select the API token you created in the previous step.
Enter the workspace URL in the format https://detect-domain/w/your-workspace/alerts
Enter a Name for the input.
Set the Interval for the scripted input to run, in seconds.
Select which Index to send alert data to.
Specify a custom source tag for the alert data. This is optional.
To check the integration is working correctly:
In Splunk, select Apps > Guard Detect Add-on for Splunk.
Select the Input Health tab.
Check for any errors. If the integration is working you should see an input ran successfully message.
The app will now continuously monitor for and index new alerts in near real-time. How often this happens will depend on the interval you specified in the input configuration.
To send a test alert:
In Guard Detect, go to Integrations > SIEM forwarding.
Select Send test alert.
If the integration is working you should be able to search for the test alert.
It’s important to know that once you set up an integration you will be sending alert data to the third party tool of your choosing. We send the alert title, description, and context which can include:
The name of the actor and their profile picture
The name of the subject, which can be a person or an entity (such as a space, project, or policy)
The site URL or page URL where the activity happened.
We respect the visibility settings in the actor’s Atlassian Account profile. If the actor has chosen not to share their profile picture with their Atlassian organization, we respect that setting.
You should make sure that it’s appropriate for this data to be shared with your third party tool before setting up the integration.
Was this helpful?