Set Up the InsightConnect App for Splunk

The Splunk app lets you trigger InsightConnect workflows based on alerts you’ve configured.

In order to set up the InsightConnect app for Splunk, you will need to:

  1. Create a workflow with an API Trigger.
  2. Generate an Insight API key.
  3. Set up and send alerts to InsightConnect from Splunk.

Create a Workflow with an API Trigger

To set up the Splunk app to send data to Insight Connect, you will need to create a new workflow using an API trigger. After you configure the API trigger, it will display a generated URL, like: https://us.api.insight.rapid7.com/connect/v1/workflows/25ffe298-20b2-4bbb-995d-122218214a17/events/execute. You will need to copy the URL because you will need it later.

After you configure your API trigger, you can configure the rest of your workflow steps as you need. Keep in mind that the API trigger you have configured will need to have its output defined, which can change depending on how you configure your Splunk instance.

To simplify this experience, we’ve included a starter InsightConnect workflow that you can import that contains a configured API trigger with defined outputs.

Generate an Insight API Key

After you have configured your workflow, you will need to generate and copy an API key. You will need to copy and provide it later when you set up your alerts from Splunk to InsightConnect.

Set Up and Send Alerts to InsightConnect from Splunk

At this point, you’ve completed all the necessary steps within InsightConnect.You will now need access to your Splunk instance to continue setting up the alert provided by the InsightConnect App for Splunk.

To set up and send alerts to InsightConnect from Splunk:

  1. Open the Search & Reporting app.
  2. Create a search, click the **Save As button and choose "Alert."
  1. Configure the alert as needed. When you are done, click "Add Actions" and choose "Send to Rapid7 InsightConnect."
  2. In the "Trigger URL" field, enter the "Generated URL" from the API trigger.
  3. In the “X-API-Key” field, enter the Insight API key that you generated earlier.
  4. Save your changes. Alerts will now be sent from your Splunk instance to the InsightConnect workflow you configured earlier.