• Documentation

Send alerts to Splunk

The Guard Detect Add-on for Splunk is a powerful third party integration that enables you to index alerts in Splunk. With the add-on, we meet you where you work; alerting you to potential threats in your Atlassian cloud environment.

Get the Guard Detect Add-on for Splunk

Step 1: Install the app

The way you install the app will depend on your Splunk deployment:

Remember to restart your Splunk instance after installing the app to make sure it functions correctly.

Step 2: Add your API token

You will need to create an API token in your Atlassian Account to connect the Splunk app. How to create an API token in Atlassian Account

To create and add your API token:

  1. Log in to https://id.atlassian.com/manage-profile/security/api-tokens.

  2. Click Create API token.

  3. Enter a name for the token. Make a note of the name, you’ll need this later.

  4. Copy the API token, you’ll need this later.

  5. In Splunk, select Apps > Guard Detect Add-on for Splunk.

  6. Select Add.

  7. Enter a name for the API token configuration.

  8. Enter your email address (for the Atlassian Account used to create the token).

  9. Enter the API token you created earlier.

  10. Select Add to save the configuration.

Add API token screen in Splunk

Step 3: Add a new input

Next you need to add Guard Detect as an input.

To add an input:

  1. In Splunk, select Apps > Guard Detect Add-on for Splunk.

  2. Select the Input tab.

  3. Select Create new input.

  4. Select the API token you created in the previous step.

  5. Enter the workspace URL in the format https://detect-domain/w/your-workspace/alerts

  6. Enter a Name for the input.

  7. Set the Interval for the scripted input to run, in seconds.

  8. Select which Index to send alert data to.

  9. Specify a custom source tag for the alert data. This is optional.

Add Beacon input screen in Splunk

Step 4: Check the input

To check the integration is working correctly:

  1. In Splunk, select Apps > Guard Detect Add-on for Splunk.

  2. Select the Input Health tab.

  3. Check for any errors. If the integration is working you should see an input ran successfully message.

The app will now continuously monitor for and index new alerts in near real-time. How often this happens will depend on the interval you specified in the input configuration.

Splunk Input Health screen showing the ‘input ran successfully’ message

Step 5: Send a test alert

To send a test alert:

  1. In Guard Detect, go to Integrations > SIEM forwarding.

  2. Select Send test alert.

If the integration is working you should be able to search for the test alert.

What data is sent to your tool?

It’s important to know that once you set up an integration you will be sending alert data to the third party tool of your choosing. We send the alert title, description, and context which can include:

  • The name of the actor and their profile picture

  • The name of the subject, which can be a person or an entity (such as a space, project, or policy)

  • The site URL or page URL where the activity happened.

We respect the visibility settings in the actor’s Atlassian Account profile. If the actor has chosen not to share their profile picture with their Atlassian organization, we respect that setting.

You should make sure that it’s appropriate for this data to be shared with your third party tool before setting up the integration.

Still need help?

The Atlassian Community is here for you.