ThreatLocker offers the ability to send Application Control (Whitelisting), and Storage Control policy audit information to your Splunk Enterprise or Splunk cloud server. In order to use Splunk you must first request that Splunk integration is enabled on your account.
ThreatLocker Standard Edition includes 10 Splunk writes per device per day.
ThreatLocker Enterprise Edition includes 200 Splunk writes per device per day.
How to log when an application is opened with Splunk.
You may have a requirement to log when an application is opened with your Splunk server. This information could be useful to tracking access to sensitive applications. To report information when an application is opened to your Splunk instance.
- Select Application Control > Policies from the navigation menu;
- Select the edit icon next to an existing application, or create a new application;
- Scroll down to the bottom of the page under the section “So you want to report this information to your Splunk Instance?” section, and select Yes;
- Enter the Splunk HTTP receiver URL and the token value (See Creating a Splunk Event Collector);
- Save your policy.
Creating a Splunk Event Collector
- From your Splunk Instance, select settings > add data;
- Click HTTP Event Collector.
- In the Name field, enter a name for the token.
- (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.
- (Optional) In the Description field, enter a description for the input.
- (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
- Click Next.
- (Optional) Make edits to source type and confirm the index where you want HEC events to be stored. See Modify input settings.
- Click Review.
- Make edits to source type and confirm the index where you want HEC events to be stored. See Modify input settings.
- Click Review.