Splunk Enterprise Security data source type specifications

When you configure Splunk Enterprise Security, understanding the specifications for the Splunk Enterprise Security data source type can help ensure a successful integration.

Important: Due to the nature of how notable events are forwarded to the QRadar® product, the data source must be customized to extract the _raw field contents from the environment they are pulling from.

The following table describes the specifications for the Splunk Enterprise Security data source type.

Table 1. Splunk Enterprise Security data source type specifications
Specification Value
Manufacturer Splunk
Data source type Splunk Enterprise Security
Connector type Universal REST API
Event format JSON
Recorded Event Types Notable events
Automatically discovered? No
Includes identity? No
Includes custom properties? No
More information Splunk Enterprise Security (https://www.splunk.com/en_us/products/enterprise-security.html)