Version 1.0
A Splunk Technology Add-On (TA) to provide CIM compliance on Lacework alert and audit data. This add-on is designed to work in conjuction with the Splunk integration available via Lacework UI.
Installation Notes
The Splunk TA for Lacework was created for use with the HEC input in Splunk. This contains both Index Time (transforms) and Search Time (props) operations for ingesting and properly sourcetyping the Lacework (HEC) Splunk Alert Channel.
In Splunk Cloud, depending on your deployment type, the HEC endpoint will be similar to https://http-inputs..splunkcloud.com:443/ and the TA should be deployed here and at the Search Tier.
Do note that the token created on the HEC input needs to match what your Lacework Tenant is configured with, and that the source field in Lacework is set to lacework for the transform to properly identifiy and rename.
Installation via Splunk UI
-
Download the latest release of the add-on from the GitHub repo: https://github.com/lacework-dev/lacework_splunk_addon/releases/new
-
In your Splunk UI, navigate to your Apps > Manage Apps page.
- Click Install App from File.
-
Click Choose File. Select the file you downloaded in Step 1.
-
Click Upload.
Notes
- This add-on works in conjuction with the existing Lacework integration with Splunk via the UI. This does not replace it.
- In the UI Integration, the "source" field must be set to "lacework" for the TA to properly parse and map fields to CIM. This can be change, but you must rename the props.conf source::lacework stanza appropriately in the app's files.
Reference URIs
Lacework Docs
Splunk Alert Channel Configuration