This article explains how to configure Afi audit log ingestion in Splunk or in a similar SIEM system. Audit log export is configured at the Configuration → SIEM tab and includes all audit events for an Afi organization account as well as its child tenants/organizations.
The following destination channels for log ingestion are supported:
- Splunk HTTP Event Collector (HEC)
- Webhook (suitable for an arbitrary SIEM system accepting events though webhook)
- MS Teams
Audit log export in Splunk
While Splunk HEC relies on webhook events, Splunk requires an authentication token to be sent along with an event. To create a collector and a token and then set up an integration with Afi, please do the following:
- Step 1 - Go to Settings → Data Inputs → HTTP Event Collector in Splunk admin panel and enable HEC by setting All tokens to Enabled in Global Settings. Also choose _json as default source type as Afi sends audit events in JSON format.
- Step 2 - Create and copy a new HEC token by clicking on the New Token option (please make sure that Enable indexer acknowledgement option is unchecked).
- Step 3 - Set up log export on Afi side at the Configuration → SIEM tab by selecting Splunk option and filling the following parameters:
- Collector endpoint - Splunk HEC endpoint
- Splunk token - token from Step 2
- Event source - event source from Step 2
- Source type - _json
Please note that, by default, Splunk Cloud protects its HEC endpoint with a self-signed HTTPS certificate so please make sure that you have set up a custom SSL certificate issued by a commonly accepted certificate authority (CA) on the Splunk HEC endpoint.