Integrate Splunk SIEM with Instant ID as a Service

Use the Splunk Add-on to Instant ID as a Service to automatically forward audit logs from your IntelliTrust account to your Splunk SIEM.

The IntelliTrust Splunk Add-On is located at https://splunkbase.splunk.com/app/4204.

Add Splunk Add-on to Instant ID as a Service

  1. Select Main Menu > Resources > Applications. The Applications page appears.
  2. Click Add. The Add Applications page appears.
  3. Click Splunk Add-on. The Add Splunk Add-on page appears.
  4. In the Application Name field, type a name for your application.
  5. (Optional) In the Application Description field, type a description for your application.
  6. (Optional) Add a custom application logo as follows:
    1. Click Add next to Application Logo. The Upload Logo dialog box appears.
    2. Click Upload to select an image file to upload.
    3. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.
    4. If required, resize your image.
    5. Click OK.
  7. Click Submit. The Complete page opens.
  8. Do one of the following:
    • Click Copy to Clipboard to copy the credentials.
    • Click Credentials to download a JSON file that contains the credentials

    Attention: Once you leave this page the credentials are no longer available. If you do not copy or download the data then you will need to recreate the application.

  9. Click Done.

Add IntelliTrust Add-on to Splunk

  1. Log in to Splunk.
  2. Click Find More Apps.
  3. In the Browse More Apps field, search for IntelliTrust. The Entrust Datacard IntelliTrust Add-on for Splunk dialog box opens.
  4. Click Install.
  5. In the Login, page enter your Splunk.com username and password.
  6. Accept the terms of agreement.
  7. Click Login and Install.
  8. Click Restart Now on the Restart Splunk prompt.
  9. Click OK.
  10. Log in to Splunk as an administrator. The IntelliTrust Add-on appears in the Apps list.
  11. Click IntelliTrust Add-on. The Inputs page opens.
  12. Click Configuration. The Configuration page opens.
  13. Click Add-on Settings.
  14. In the IntelliTrust Splunk App Secret field, paste the credentials that you generated in Add Splunk add-on to Instant ID as a Service.
  15. Click Save.
  16. On the Inputs page, click Create New Input.
  17. In the Interval box enter the interval period, in seconds, that Splunk queries IntelliTrust for new audit events.
  18. In the Include field select the type of audits to include. Options include:
    • Authentication Events Only
    • Management Events Only
    • Both
  19. Click Add.