Home » Splunk Integration
Applicable For Endpoint Central MSP 
 
 

Splunk Integration

Table of contents

By integrating ManageEngine Endpoint Central with Splunk, organizations reap numerous benefits. This integration gives you visibility by consolidating all vulnerability data in one place for easy monitoring and management. Splunk’s advanced analytics gives you a deep dive into vulnerability trends, patterns and anomalies so you can prioritize remediation based on risk assessments and impacts. Customize your dashboards and reports with Splunk flexibility to present vulnerability data in a clear and actionable way. Overall integrating Splunk with Endpoint Central enhances vulnerability management by leveraging Splunk’s advanced analytics, real-time monitoring and visualization capabilities.

Note: Splunk integration feature is available on build DC-11.3.2430.01 and above.

Generating Authentication Code and Integrating Splunk with Endpoint Central Cloud

  • Navigate to the Splunk homepage.
  • Click on the Apps option in the header menu.
  • Select the ManageEngine Endpoint Central Add-On app.

  • Navigate to Configurations and click the Add button to add your server.

  • In the pop-up window, choose Endpoint Central Cloud from the Endpoint Central Server dropdown menu.

  • For guidance on the Endpoint Central Server URL and Zoho Accounts Server URL, refer to this document. Fill in the appropriate values based on your data center.

  • To generate the Client ID, Client Secret, and Code, Open the developer console based on your data center as specified in this document.
  • Log in with your Endpoint Central Cloud account.
  • Select Self Client, click on Create Now, and then Ok to enable the self client.

  • Copy the Client ID and Client Secret from the console and paste them in Splunk.
  • To generate the code, click on the Generate Code tab in the API Developer Console.
  • Assign the scopes. Copy the below line and paste it in the "Scope" section.

    DesktopCentralCloud.SplunkIntegration.READ,DesktopCentralCloud.SplunkIntegration.CREATE,DesktopCentralCloud.VulnerabilityMgmt.READ

  • Set the time duration to 10 minutes, provide a description, and then click the CREATE button.

  • Copy the generated code, paste it in Splunk, and then click Add.

    • Creating an input with the Endpoint Central Cloud server configuration

    • Navigate to the Inputs tab in Splunk and click on the Create New Input button.
    • In the pop-up window, enter all the required information. From the Global Account dropdown, select the configured Endpoint Central Cloud server.
    • Then, click the Add button. If all inputs are valid, the input will be added successfully.

      • Valid Inputs:

    • Name: Unique name without any white spaces.
    • Interval: In seconds, must be between 3600 and 86400.
    • Index: Default.
    • Global Account: Endpoint Central Cloud server configured in the configuration section.
    • The added input will then get displayed.

    Viewing data in Splunk

    • Navigate to the Search tab in the app.
    • Once an input is configured, synchronization with the Endpoint Central cloud server will begin, and data will start posting to Splunk.

      • Currently, only vulnerability data from Endpoint Central is posted to Splunk.

    • The vulnerability data will be posted under the sourcetype: manageengine:ec:vulnerability
    • To view the posted data, use the following command:

      • index=* sourcetype="manageengine:ec:vulnerability"

    Kindly contact support for any queries.