Set Up Splunk

Overview

You can configure Bridgecrew to send notifications to Splunk whenever it generates a new Incident. This integration uses Splunk’s HTTP Event Collector feature.

In Splunk

  1. Set up an HTTP Event Collector and copy the token. See full details here. Please make sure to configure the Source Type attribute to "bridgecrew".

  2. In Splunk’s Global Settings, ensure that the option for All Tokens is enabled.

  3. Set the Index you want Bridgecrew to post Incident notifications to as the default.

  4. If your organization requires IP-based access to its network, add all 3 IP addresses below to your ingress access configuration.
    Bridgecrew performs load balancing across those addresses.

    52.35.163.8
    44.231.203.74
    44.231.142.62

📘

Note

If the Splunk instance is accessible from the internet on the HTTP Event Collector port (usually 8088), it is not necessary to set the Bridgecrew IP addresses in your ingress access configuration.

In Bridgecrew

  1. Under Notifications, press Splunk and then Integrate Splunk.
  1. Enter your Splunk URL.
  2. Paste in the token from Splunk and press Done.

Message Details

The following fields are embedded in the message sent to Splunk for each Incident.

  • category
  • severity
  • title
  • resource
  • firstDetectionDate
  • guideline
  • violationId

Example

{"message":{"violationId":"BC_AWS_S3_15","resource":"arn:aws:s3:::scanners-bc-bridgecrewcws-809694787632","firstDetectionDate":"2020-05-19T11:53:40.573Z","title":"Ensure all data is transported from the S3 bucket securely","category":"S3","guideline":"https://www.bridgecrew.cloud/incidents/BC_AWS_S3_15?tab=Guidelines"},"severity":"HIGH"}

Updated 3 months ago



Set Up Splunk


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.