Splunk Integration¶

Splunk integrates with Parapet Security through webhook alert actions. This guide covers Splunk Enterprise and Splunk Cloud.

Prerequisites¶

Splunk Enterprise 8.0+ or Splunk Cloud
Admin access to create alert actions
Your Parapet Security webhook URL and token

Quick Setup¶

Step 1: Get Your Parapet Credentials¶

Log in to app.parapetsecurity.com
Go to Settings → Service Tokens
Click Generate New Token
Save both:
- Webhook URL: https://webhook-{region}.parapetsecurity.com/webhook/{tenant-id}
- Service Token: pst_... (shown only once)

Step 2: Create Webhook Alert Action¶

Option A: Using Splunk Web¶

Go to Settings → Alert Actions
Click Create Alert Action
Configure:

Field	Value
Label	Parapet Security
Description	Forward alerts to Parapet Security for AI triage
Webhook URL	`https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID`

Option B: Using alert_actions.conf¶

Create or edit $SPLUNK_HOME/etc/apps/your_app/local/alert_actions.conf:

[parapet_security]
is_custom = 1
label = Parapet Security
description = Forward alerts to Parapet Security for AI triage
icon_path = parapet_icon.png

param.webhook_url = https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID
param.token = pst_YOUR_TOKEN

payload_format = json

Step 3: Create Webhook Script¶

Create $SPLUNK_HOME/etc/apps/your_app/bin/parapet_security.py:

#!/usr/bin/env python3
"""
Parapet Security Alert Action for Splunk
"""

import sys
import json
import requests
from datetime import datetime

def send_to_parapet(payload, settings):
    """Send alert to Parapet Security webhook."""

    webhook_url = settings.get('param.webhook_url')
    token = settings.get('param.token')

    headers = {
        'Authorization': f'Bearer {token}',
        'Content-Type': 'application/json'
    }

    # Build Parapet-compatible payload
    parapet_payload = {
        'source': 'splunk',
        'timestamp': datetime.utcnow().isoformat() + 'Z',
        'search': {
            'name': settings.get('search_name', 'Unknown'),
            'earliest': settings.get('search_earliest_time'),
            'latest': settings.get('search_latest_time')
        },
        'result_count': settings.get('result_count', 0),
        'results': payload.get('result', {})
    }

    try:
        response = requests.post(
            webhook_url,
            headers=headers,
            json=parapet_payload,
            timeout=30
        )
        response.raise_for_status()
        return True
    except Exception as e:
        sys.stderr.write(f"Error sending to Parapet: {e}\n")
        return False

if __name__ == '__main__':
    if len(sys.argv) < 2:
        sys.exit(1)

    # Read payload from stdin
    payload = json.loads(sys.stdin.read())

    # Read settings
    settings = {}
    with open(sys.argv[1], 'r') as f:
        for line in f:
            key, value = line.strip().split('=', 1)
            settings[key] = value

    success = send_to_parapet(payload, settings)
    sys.exit(0 if success else 1)

Make executable:

chmod +x $SPLUNK_HOME/etc/apps/your_app/bin/parapet_security.py

Step 4: Attach to Saved Search¶

Create or edit a saved search
Go to Settings → Searches, reports, and alerts
Find your search → Edit → Edit Alert
Under Trigger Actions, click + Add Actions
Select Parapet Security
Save

Alternative: HTTP Event Collector (HEC) Webhook¶

For simpler setup, use Splunk's built-in webhook action:

Step 1: Create Alert with Webhook Action¶

Create a new alert or edit existing
Add trigger action: Webhook
Configure:

Field	Value
URL	`https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID`

Step 2: Add Custom Headers (Splunk Cloud)¶

In Splunk Cloud, use the webhook action with custom configuration:

Settings → Alert Actions → Webhook → Advanced Options
Headers: Authorization: Bearer pst_YOUR_TOKEN

Step 3: Configure Payload¶

Select JSON payload format and customize:

{
  "source": "splunk",
  "timestamp": "$trigger_time$",
  "search": {
    "name": "$name$",
    "query": "$search$",
    "earliest": "$trigger.earliest_time$",
    "latest": "$trigger.latest_time$"
  },
  "results": {
    "count": "$result.count$",
    "first_result": "$result._raw$"
  }
}

Sample Alert Payload¶

Here's what Splunk sends to Parapet Security:

{
  "source": "splunk",
  "timestamp": "2026-01-28T15:30:00Z",
  "search": {
    "name": "Failed SSH Logins",
    "query": "source=/var/log/auth.log failed password | stats count by src_ip",
    "earliest": "2026-01-28T14:30:00Z",
    "latest": "2026-01-28T15:30:00Z"
  },
  "result_count": 5,
  "results": {
    "_time": "2026-01-28T15:25:00Z",
    "src_ip": "45.227.253.98",
    "count": "47",
    "user": "root",
    "host": "web-server-01"
  }
}

Parapet Security's AI normalizes this to extract:

Severity: High (based on event count and pattern)
Category: Authentication
Source IP: 45.227.253.98
Target User: root
Affected Host: web-server-01

Configuration Options¶

Filtering Alerts¶

Use SPL to filter before alerting:

source=/var/log/auth.log failed password
| stats count by src_ip, user
| where count > 10
| table _time, src_ip, user, count

Severity Mapping¶

Map Splunk severity to the payload:

severity_map = {
    'info': 'low',
    'low': 'low',
    'medium': 'medium',
    'high': 'high',
    'critical': 'critical'
}

Multiple Results¶

Send all results, not just the first:

parapet_payload = {
    'source': 'splunk',
    'timestamp': datetime.utcnow().isoformat() + 'Z',
    'search_name': settings.get('search_name'),
    'results': payload.get('results', []),  # All results
    'result_count': len(payload.get('results', []))
}

Enterprise Security Integration¶

For Splunk Enterprise Security (ES):

Notable Events¶

Forward notable events to Parapet Security:

| from datamodel:"Risk"."All_Risk"
| where risk_score >= 50
| table _time, src, dest, risk_message, risk_score

Correlation Searches¶

Attach webhook action to correlation searches:

Go to Enterprise Security → Correlation Searches
Edit a search → Response Actions
Add Parapet Security action

Troubleshooting¶

Webhook Not Firing¶

Check alert configuration: Settings → Searches → Verify alert is enabled and scheduled
Test search manually: Run the search to ensure it returns results

Check internal logs:

index=_internal source=*scheduler.log* savedsearch_name="Your Alert Name"

Authentication Errors¶

Verify token format: Token must start with pst_
Check for encoding issues: Ensure no extra whitespace in token

Test with curl:

curl -X POST "https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID" \
  -H "Authorization: Bearer pst_YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"source": "splunk", "test": true}'

Script Errors¶

Check script logs:

cat $SPLUNK_HOME/var/log/splunk/python.log

Verify Python environment:

$SPLUNK_HOME/bin/splunk cmd python3 -c "import requests; print('OK')"

Install dependencies:

$SPLUNK_HOME/bin/splunk cmd pip3 install requests

Rate Limiting¶

If you see 429 errors:

Reduce alert frequency
Add deduplication in SPL:
```
| dedup src_ip, user
```
Upgrade Parapet Security plan

Splunk Cloud Considerations¶

Splunk Cloud has restrictions on custom scripts. Use these alternatives:

Built-in Webhook Action: Use the native webhook with custom headers
HTTP Event Collector: Send via HEC to a proxy that adds auth
Splunk SOAR: Use Splunk SOAR playbooks for more complex integrations

Performance Tips¶

For high-volume environments:

Tip	Description
Aggregate results	Use `stats` to summarize before alerting
Throttle alerts	Set per-result throttling in alert settings
Use cron scheduling	Avoid real-time searches for non-critical alerts
Limit fields	Only include necessary fields in payload

Next Steps¶

Configure Slack notifications for real-time alerts
Set up alert filters to focus on what matters
Understand AI triage results