ConductorOne Docs

πŸ› οΈ Splunk integration

ConductorOne provides identity governance and just-in-time provisioning for Splunk Enterprise. Integrate your Splunk Enterprise server with ConductorOne to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

Are you a Splunk Cloud user? This page has instructions for integrating ConductorOne with Splunk Enterprise. If you want to integrate ConductorOne with your Splunk Cloud instance, follow the instructions in the Splunk connector’s README file.

Overview

Organizations trust Splunk to prevent security, infrastructure and application issues from becoming major incidents, absorb shocks from digital disruptions, and accelerate digital transformation.

Availability

πŸ› οΈ The Splunk Enterprise integration uses ConductorOne’s open-source Baton connector for Splunk.

Capabilities

  • Sync user identities from Splunk Enterprise to ConductorOne
  • Resources supported:
    • Deployments
    • Roles
    • Capabilities
    • Applications

Integrate your Splunk Enterprise instance

Before you begin: Prepare a Splunk Enterprise image for the baton-splunk connector by following the Splunk Enterprise documentation to Deploy and run Splunk Enterprise inside a Docker container. Note that the Splunk Docker image only supports x86_64 CPU architecture.

Step 1: Generate an API token

Before you begin: Make sure that token authentication is enabled for your Splunk Enterprise instance.

Splunk Enterprise authentication tokens inherit the same permission set as the user associated with the token. Make sure that the user associated with the token you create has permission to read all users, roles, deployments, capabilities, and applications for your instance.

If you want to create tokens for yourself, your account must have a role that has the edit_tokens_own capability. If you want to create tokens for another user on the instance (such as a service account), your account must have a role that has the edit_tokens_all capability.

  1. Sign into Splunk Enterprise.

  2. Click Settings and select Tokens from the menu.

  3. If necessary, click Enable Token Authentication.

  4. On the Tokens page, click New Token.

  5. Fill out the form and click Create.

  6. The token is generated. Carefully copy and save the token value. We’ll use it in Step 2.

Step 2: Install baton-splunk

  1. Run the Docker command shown below to install baton-splunk, substituting in the required credentials (see the baton-splunk repo’s README for details).

    SPLUNK_ADMIN_PASSWORD=admin_pass BATON_TOKEN=token BATON_UNSAFE=true docker-compose up

    The instance comes with TLS disabled by default. To bypass validation of TLS certificates, set BATON_UNSAFE environment variable to true or use the --unsafe flag.

    To gain more verbose output, set the BATON_VERBOSE environment variable to true or use the --verbose flag. This mode lists Application and Capability entitlements and grants.

Step 3: Set up the Splunk integration in ConductorOne

A user with the Integration Administrator or Super Administrator role in ConductorOne must perform this task.

  1. In ConductorOne, open Administer and click Integrations > Baton.

  2. Choose whether to add the Splunk connector to an existing application in ConductorOne (and select the app of your choice) or to create a new Baton application.

    Once the connection is established between Splunk Enterprise and ConductorOne, the new application’s name will automatically change from Baton to Splunk.

  3. Set the integration owner for this connector. You can manage the integration yourself, or choose someone else from the list of ConductorOne users. Setting multiple integration owners is allowed. You can change the integration owner later, if necessary.

  4. Click Create and add details.

    If you selected someone else as the integration owner, that person will be notified to take over this process from this point.

  5. Find the Settings area of the page and click Edit.

  6. Click Rotate to generate a new set of credentials. Carefully copy the Client ID and Secret. You’ll use them in Step 4.

Step 4: Add credentials to your Splunk connector

  1. On the server where your the Splunk is running, pass in the Client ID and Secret generated in Step 3 by running --client-id <CLIENT ID> --client-secret <SECRET>.

    Run baton-splunk --help to see the list of flags to be used when passing your credentials to the connector.

  2. The connector syncs current data, uploads it to ConductorOne, and prints a Task complete! message when finished.

  3. Check that the connector data uploaded correctly. In ConductorOne, open Manage and click Applications, then locate and click the name of the application you added the Splunk connector to. Splunk data should be found on the Groups, Roles, Resources, and Accounts tabs, as appropriate.

Now that baton-splunk is installed and the integration is set up, Baton runs as a service in your environment. The service maintains contact with ConductorOne, syncs and uploads data at regular intervals, and passes that data to the ConductorOne UI, where you and your colleagues can use it to run access reviews and facilitate access requests for the application.