Cloudflare Docs
Area 1 Email Security
Area 1 Email Security
Visit Area 1 Email Security on GitHub
Set theme to dark (⇧+D)

Splunk Cloud integration guide

When Area 1 detects a phishing email, the metadata of the detection can be sent directly to Splunk. This document outlines the steps required to integrate with Splunk Cloud.

A diagram outlining what happens when Area 1 detects a phishing email and sends it to Splunk.

​​ 1. Configure Splunk HTTP Event Collector

  1. Log in to Splunk with an administrator account.

  2. Go to Settings > Data inputs.

    Go to Data inputs to configure your settings.
  3. In Local inputs > Type, select HTTP Event Collector to access this configuration and create a new collector.

    Select HTTP Event Collectors as the type of your collector.
  4. Select the New Token button to start the configuration.

  5. Provide a descriptive name for the Area 1 token (for example, Area 1 Email Detections), and leave the Enable indexer acknowledgement unchecked.

    Enter a descriptive name for your new token, but leave Enable indexer acknowledgement checkbox unchecked.
  6. Select Next to continue.

  7. Configure the Input Settings for the HTTP Event Collector based on your environment.

    Configure the Input Settings based on your environment
  8. You may also select Create a new index to create new settings for Area 1 events, with a Max Size of Entire Index and Retention (days) that fits your environment.

    Optionally, create a new index for Area 1 events
  9. For this example, we created a new area1_index index, and added it to the configuration.

    Example of a new index added to the configuration
  10. Select Review > Submit to review your settings and create the collector.

  11. Take note of the token value in this next screen. This value is required for the Area 1 configuration in the next step. You can also retrieve the token from the HTTP Event Collector configuration panel, in Settings > Data inputs > HTTP Event Collector.

    Example of a new index added to the configuration

​​ 2. Test your HTTP Event Collector

To test your the HTTP Event Collector, you can manually inject an event into Splunk by using the following cURL command:


curl https://{host}:8088/services/collector/event \
--header 'Authorization: Splunk <YOUR_TOKEN>' \
--data '{
"sourcetype": "<YOUR_SOURCE_TYPE",
"event":"Hello, World!"
}'

​​ Request formats

When creating requests to Splunk, the URL and port number change according to the type of Splunk setup:

  • Splunk Cloud Platform free trial: <protocol>://http-inputs-<host>.splunkcloud.com:8088/<endpoint>
  • Splunk Cloud Platform: <protocol>://http-inputs-<host>.splunkcloud.com:443/<endpoint>
  • Splunk Enterprise: <protocol>://<host>:8088/<endpoint>

Refer to the Splunk documentation for more information.

If your instance is on-premise, specify the appropriate hostname and ensure that your firewall allows the configured port through to your instance. The connections will be coming from the following egress IP addresses, if you need them for your access control lists (ACLs):

  • 52.11.209.211
  • 52.89.255.11
  • 52.0.67.109
  • 54.173.50.115

If all the requirements are met, you will receive the following response back to the cURL command:


{"text":"Success","code":0}

Additionally, you can search your instance of Splunk for the test event with index or other search criteria (for example, index="area1_index"):

Example of a new index added to the configuration

​​ 3. Configure Area 1

The next step is to configure Area 1 to push the Email Detection Event to the Splunk HTTP Event Collector.

  1. Log in to the Area 1 dashboard.
  2. Go to Email Configuration > Alert Webhooks, and select New Webhook.
  3. In the Add Webhooks page, enter the following settings:
    • App type: Select SIEM > Splunk, and enter the auth code you took note of the previous step.
    • Target: Enter the target URI of your Splunk instance. It will typically have the https://<host>:8088/services/collector format. Refer to Request formats to learn more about how your Splunk subscription affects the URI.
    • For the dispositions (MALICIOUS, SUSPICIOUS, SPOOF, SPAM, BULK) choose which (if any) you want to send to the webhook. Sending SPAM and BULK dispositions will generate a high number of events.
  4. Select Publish Webhook.

Your Splunk integration will now show up in the All Webhooks panel.

The All Webhooks section will show your Splunk webhook

It will take about ten minutes or so for the configuration to fully propagate through the infrastructure of Cloudflare Area 1, and for events to start to appear in your searches. Once the configuration is propagated, events will start to appear in your instance of Splunk.