Configuring Splunk Enterprise Security to communicate with the QRadar product

To send threat alerts from Splunk Enterprise Security, you must have an API token. You need the API token when you configure a data source in the QRadar® product.

Before you begin

You must have access to a Splunk account with administrator privileges.

Procedure

  1. Log in to your Splunk Enterprise Security console as administrator.
  2. Click the settings menu in the upper portion of the page, and then select Tokens from the Users and Authentication section of the list.
  3. Click New Token in the upper-right of the screen.
  4. Fill in the fields in the dialog box that appears, then click Create.
  5. Copy the API token from the Token field in the dialog.
    Important: The API token does not appear again. Do not close this dialog or window until you copy the API token to your clipboard and then save to a file.

What to do next

Add a Splunk Enterprise Security data source that uses the Universal Cloud REST API connector. For more information about the Universal Cloud REST API connector, see Universal Cloud REST API data source parameters for Splunk Enterprise Security.

For more information about adding a data source, see Adding ingestion data sources.