Guardium Insights for Splunk app

IBM Guardium Insights for Splunk app version 3.3.1 integrates Guardium Insights capabilities with Splunk to simplify the processes of investigating, prioritizing, and mitigating risk events in Splunk. The Guardium Insights for Splunk app gathers database user activity and search history by using the Guardium Insights API.

About this task

Note: Splunk version 3.3.1 supports Guardium Insights version 3.3 and up. It is not compatible with older versions of Guardium Insights.
Follow the directions to install the Guardium Insights for Splunk app from Splunk. After installation, you can configure the Splunk app.

Procedure

  1. Installing the Splunk app
    1. In Splunk, navigate to Apps > Find More Apps.
    2. Search for and install the IBM Security Guardium Insights for Splunk app.
    The app configuration page opens automatically after installation. Otherwise, navigate to Apps > Manage Apps, filter for the IBM Security Guardium Insights for Splunk app, and click Set up.
  2. Configuring the Guardium Insights for Splunk app
    Connect Securely
    When selected, the Splunk app attempts to verify an SSL connection with the Guardium Insights host. It uses the current CA certificate from the Splunk server and confirms that the Insights host has a valid certificate. Enable Connect Securely when using third party signed certificates; do not use this option with self-signed certificates.
    Guardium Insights Host
    The hostname of the Guardium Insights system that will provide data for the Splunk app.
    API Key | API Key Secret
    For more information about Guardium Insights API Keys or API Key Secrets, see Creating API keys.
    Pull Risk Events | Index name
    Enables pulling of Guardium Insights risk data. You can then choose which Splunk index will store pulled data. By default, it will create one named gi_risks, but you may create and name your own index as well.
    Data Pulling Interval (minutes)
    How frequently to update data from the Guardium Insights system.
    Data Retention Time (days)
    How long to retain data from the Guardium Insights system. If Data Retention Time (days) is set to 0, data is retained indefinitely.
    Past Event Days
    Import Guardium Insights data from the past, which is defined in days. After importing past data, data is updated based on the Data Pulling Interval. If Past Event Days is set to 0, no data past data is imported, and data is updated based on the Data Pulling Interval.
  3. Click Submit to save the configuration.

What to do next

After installation of the Splunk app, you can use it as described in Splunk app views.