D42 currently has a Splunk integration to send audit log data to Splunk.
I would like to see this integration expanded to also send D42 data (e.g. asset or ADM data).
The reason for this is if your using Splunk for SIEM (either just using Core or Enterprise Security), a core required data set is information about your assets, so if your sending your audit data to Splunk there is a good chance you also need the discovered data.
I would like to see either an option to choose to send a table(s) to Splunk on a schedule or an option on the DOQL queries to send the JSON output to Splunk on a schedule. Both these options can use the existing Splunk HEC configuration in D42.
Please sign in to leave a comment.