Set Up Splunk

Overview

You can configure Bridgecrew to send notifications to Splunk whenever it generates a new Incident. This integration uses Splunk’s HTTP Event Collector feature.

How to Integrate

Part 1 - In Bridgecrew

  1. From Integrations Catalog, under Notification Platforms, select Splunk.
1901
  1. Set up Splunk HTTP Event Collector by clicking the link in the wizard or by clicking here.
1920

Part 2 - In Splunk

  1. Copy the Token.
  2. In Splunk’s Global Settings, ensure that the option for All Tokens is enabled.
  3. Set the Index you want Bridgecrew to post Incident notifications to as the default.
  4. If your organization requires IP-based access to its network, add all 3 IP addresses below to your ingress access configuration.

📘

Notes

  1. Please make sure to configure the Source Type attribute to "bridgecrew".
  2. Bridgecrew performs load balancing across those addresses:
    52.35.163.8
    44.231.203.74
    44.231.142.62
  3. If the Splunk instance is accessible from the internet on the HTTP Event Collector port (usually 8088), it is not necessary to set the Bridgecrew IP addresses in your ingress access configuration.

Part 3 - In Bridgecrew

  1. Enter your Splunk URL.
  2. Paste the token from Splunk then select Done.
1908

Message Details

The following fields are embedded in the message sent to Splunk for each Incident.

  • category
  • severity
  • title
  • resource
  • firstDetectionDate
  • guideline
  • violationId

Example

{"message":{"violationId":"BC_AWS_S3_15","resource":"arn:aws:s3:::scanners-bc-bridgecrewcws-809694787632","firstDetectionDate":"2020-05-19T11:53:40.573Z","title":"Ensure all data is transported from the S3 bucket securely","category":"S3","guideline":"https://www.bridgecrew.cloud/incidents/BC_AWS_S3_15?tab=Guidelines"},"severity":"HIGH"}