Splunk & SIEM Integration
Splunk & SIEM Integration
Section titled “Splunk & SIEM Integration”Forward CBOM events and asset data to Splunk (or any SIEM) for correlation with other security events. Give your SOC visibility into cryptographic risk alongside network, endpoint, and application security data.
What It Does
Section titled “What It Does”The SIEM integration sends structured event data from CBOM to your security monitoring platform:
- New asset discoveries — When crypto assets are found during scans
- Risk level changes — When an asset’s quantum risk classification changes
- Policy violations — When assets fail compliance checks
- Certificate lifecycle events — Expiry, renewal, revocation
- Scan metadata — Scan success/failure, coverage metrics
This enables your SOC to correlate crypto events with other security signals — for example, detecting when a compromised certificate is still being used in network traffic.
Integration Methods
Section titled “Integration Methods”| Method | Best For | Protocol |
|---|---|---|
| HTTP Event Collector (HEC) | Splunk Cloud, Splunk Enterprise | HTTPS POST |
| Syslog Forwarding | Any SIEM (QRadar, ArcSight, LogRhythm) | Syslog (CEF/LEEF) |
| API Polling | SIEMs that pull data | REST API |
Method 1: Splunk HTTP Event Collector (HEC)
Section titled “Method 1: Splunk HTTP Event Collector (HEC)”Configuration (Planned)
Section titled “Configuration (Planned)”integrations: splunk: method: hec hec_url: https://splunk.company.com:8088/services/collector hec_token: "..." index: security source_type: cbom:events source: cbom-platform verify_ssl: true batch: max_events: 100 flush_interval: 30s events: - new_asset_discovered - risk_level_changed - policy_violation - cert_expired - cert_expiry_warning - lifecycle_state_changed - scan_completed - compromised_assetExample HEC Event
Section titled “Example HEC Event”{ "time": 1710432000, "source": "cbom-platform", "sourcetype": "cbom:events", "index": "security", "event": { "event_type": "policy_violation", "severity": "CRITICAL", "asset": { "id": "abc123", "name": "payment-service signing key", "type": "private-key", "algorithm": "RSA-2048", "key_size": 2048, "quantum_risk": "CRITICAL", "locations": ["prod-payment-01:/etc/ssl/private/payment.key"] }, "policy": { "name": "NIST-PQC Compliance", "rule": "asymmetric_key_quantum_safe", "violation": "RSA-2048 is vulnerable to quantum attack" }, "remediation": "Migrate to ML-DSA-65 or ML-KEM-768", "cbom_url": "https://cbom.company.com/assets/abc123" }}Method 2: Syslog Forwarding (CEF)
Section titled “Method 2: Syslog Forwarding (CEF)”Configuration (Planned)
Section titled “Configuration (Planned)”integrations: siem: method: syslog host: siem.company.com port: 514 protocol: tcp # tcp, udp, or tls format: cef # cef or leef facility: local4 events: - policy_violation - cert_expired - compromised_asset - risk_level_changedExample CEF Message
Section titled “Example CEF Message”CEF:0|QCecuring|CBOM|1.0|POLICY_VIOLATION|Crypto Policy Violation|9| src=prod-payment-01 cs1=payment-service signing key cs1Label=AssetName cs2=RSA-2048 cs2Label=Algorithm cs3=NIST-PQC Compliance cs3Label=PolicyName cs4=CRITICAL cs4Label=RiskLevel msg=RSA-2048 key violates quantum-safe requirement request=https://cbom.company.com/assets/abc123Method 3: API Polling
Section titled “Method 3: API Polling”For SIEMs that prefer to pull data:
GET /api/v1/events?since=2025-03-14T00:00:00Z&types=policy_violation,cert_expiredAuthorization: Bearer <api-key>Response:
{ "events": [ { "id": "evt_001", "timestamp": "2025-03-14T14:32:00Z", "type": "policy_violation", "severity": "CRITICAL", "asset_id": "abc123", "details": { ... } } ], "pagination": { "next_cursor": "eyJ0..." }}Splunk Dashboards
Section titled “Splunk Dashboards”With CBOM data in Splunk, build dashboards for:
Crypto Risk Overview
Section titled “Crypto Risk Overview”- Total assets by quantum risk level
- Violations over time (trend)
- Top violated policies
- Assets approaching expiry
SOC Correlation
Section titled “SOC Correlation”- Compromised certificates still seen in network traffic
- Weak algorithms used in active TLS sessions
- Policy violations correlated with vulnerability scan findings
Compliance Posture
Section titled “Compliance Posture”- Percentage of assets meeting PQC requirements
- Mean time to remediate violations
- Compliance trend over 30/60/90 days
Compatible SIEM Platforms
Section titled “Compatible SIEM Platforms”| Platform | Method | Format |
|---|---|---|
| Splunk Enterprise | HEC | JSON |
| Splunk Cloud | HEC | JSON |
| IBM QRadar | Syslog | CEF/LEEF |
| Micro Focus ArcSight | Syslog | CEF |
| Elastic / ELK | API Polling or Webhook | JSON |
| Datadog | API Polling or Webhook | JSON |
| Microsoft Sentinel | API Polling | JSON |
| LogRhythm | Syslog | CEF |
| Sumo Logic | HEC-compatible | JSON |
Use Cases
Section titled “Use Cases”- SOC visibility — Crypto events appear alongside all other security data in your SIEM
- Correlation — Detect when compromised or expired certificates are still in active use
- Compliance dashboards — Build executive-level crypto posture views in Splunk
- Alerting — Use SIEM alerting rules to escalate critical crypto events
- Forensics — Historical crypto event data for incident investigation
Related
Section titled “Related”- Integrations Overview — All available integrations
- Slack — Real-time team notifications
- ServiceNow — Incident creation for ITSM
- API Reference — Build custom SIEM integrations