Splunk ES Integration
Connect Splunk Enterprise Security (ES) to Mission Control and incident management. View notable events, Mission Control alerts and incidents; create SecureHive incidents from Splunk.
Overview
The Splunk ES integration surfaces notable events, Mission Control alerts, and Mission Control incidents in SecureHive. You can create SecureHive incidents from Splunk alerts or incidents and track response in incident management.
- Main Splunk instance — Base URL and auth token for the primary Splunk deployment (used for connectivity and, if configured, search).
- ES instance — Splunk Enterprise Security is often a separate instance (e.g.
es.tenant.splunkcloud.com). It has its own base URL and requires its own auth token and IP allowlist. - Urgency — Splunk ES uses a 5-level urgency (Informational, Low, Medium, High, Critical); SecureHive shows these with theme-aligned badges in Mission Control.
- Per-tenant — Configure one or more Splunk/ES integrations per tenant under Settings → Integrations → Security Operations.
The ES instance is separate from your main Splunk Cloud. It has its own URL, token, and IP allowlist. Create a token in the ES instance (Settings → Tokens) and allowlist the SecureHive backend IP in the ES instance.
ES instance (separate from main Splunk)
Splunk Enterprise Security often runs on a dedicated instance. You need its base URL and an auth token created in that instance.
| Setting | Details |
|---|---|
| ES Base URL | Your ES instance URL (e.g. https://es.tenant.splunkcloud.com or https://es.tenant.splunkcloud.com:8089). Port 8089 is used for the REST API; SecureHive will add it if omitted. |
| ES Auth Token | Create a token in the ES instance (Settings → Tokens). This is not the same as your main Splunk token. Store it securely. |
| IP allowlist | Add the SecureHive backend server IP to the ES instance allowlist (e.g. via Splunk Admin Config Service or your cloud console). |
SecureHive setup
Configure the Splunk ES integration for your tenant in SecureHive.
Open integration settings
In SecureHive, go to Settings → Integrations.
Add the integration
Open the Security Operations card and click Configure (or Add integration).
Set basic fields
Set Integration name (e.g. “Production Splunk ES”), Integration type to SIEM, Provider to Splunk.
Enter main Splunk connection
Enter your main Splunk Base URL and Auth Token (for the primary Splunk deployment).
Configure ES connection
Under Splunk Enterprise Security (ES) Configuration, enter the ES Base URL (port 8089 is added automatically if not specified) and ES Auth Token (created in the ES instance).
Set incident auto-creation (optional)
Enable auto-create incidents from alerts and set minimum severity (e.g. Medium and above). Manual “Create Incident” is always available in Mission Control.
Save and test
Save. Use Test connection if available to verify connectivity to both main Splunk and the ES instance.
Credentials (tokens and secrets) are stored encrypted in SecureHive. Use tokens with the minimum scope required (e.g. read access to notable events and Mission Control).
Mission Control and incidents
After the integration is configured, Mission Control shows Splunk ES notable events, alerts, and incidents. You can create SecureHive incidents from them.
- Go to Detection & Response (Security Operations) → Mission Control.
- In the integration dropdown, select your Splunk integration (e.g. “Production Splunk ES (Splunk)”).
- ES Notable Events, Mission Control Alerts, and Mission Control Incidents tabs show data from Splunk ES. Columns include Urgency (5 levels), status, and Actions (e.g. Create Incident).
- Click Create Incident to create a SecureHive incident from that alert or incident; it appears under Incident Response.
- Urgency (Informational through Critical) is displayed with theme-aligned badge colors.
Troubleshooting
Connection failed or 403 to ES
ES is a separate instance: Ensure you are using the ES instance base URL and an auth token created in the ES instance (not the main Splunk token). IP allowlist: Add the SecureHive backend IP to the ES instance allowlist. For Splunk Cloud ES, use the Admin Config Service (ACS) or your cloud account to allowlist the IP.
Port 8089
Splunk Cloud uses port 8089 for the REST API. If you omit the port in the ES Base URL, SecureHive adds :8089 automatically. If your deployment uses a different port, include it in the URL.
No notable events or empty lists
Confirm the ES token has read access to notable events and Mission Control data. Check index and permission settings in the ES instance. Verify the integration is active and that you selected the correct Splunk integration in the Mission Control dropdown.
Token expired or invalid
Tokens can expire or be revoked. Create a new token in the ES instance (Settings → Tokens) and update the integration in SecureHive (Settings → Integrations → Security Operations → Edit → ES Auth Token).