Splunk
The Splunk integration sends SonicSaaS events to your Splunk instance via the HTTP Event Collector (HEC) for centralized log management and SIEM correlation.
What It Provides
- Event forwarding — send audit events, device status changes, and operational alerts to Splunk
- SIEM integration — correlate SonicSaaS events with other security data in your Splunk environment
- Compliance evidence — maintain a centralized, tamper-evident log store for audit purposes
Setup
To configure the Splunk integration:
- Navigate to Integrations → Splunk
- Enter your Splunk HEC endpoint URL and token
- Configure which event types to forward
- Save and test the connection
Your Splunk HEC token is encrypted at rest using AES-256-GCM.
What Gets Sent
Events forwarded to Splunk include:
- Authentication events (sign-in, sign-out, MFA, password changes)
- Device operations (backups, firmware updates, configuration changes)
- Policy changes and compliance status changes
- Alert and anomaly events
Events are sent in structured JSON format, ready for Splunk indexing and search.
Related
- Audit Log — platform audit trail
- Integrations Overview — all available integrations
Last updated on