In this article, you will learn how to ingest data from the HEIMDAL API into Splunk Enterprise (https://www.splunk.com).
1. Adding the REST API Modular Input App into SPLUNK Enterprise
2. Adding the HEIMDAL API into Splunk Enterprise
3. Displaying the data ingested from the HEIMDAL Security API
Adding REST API Modular Input into SPLUNK Enterprise
1. From the Splunk Enterprise portal, click on Explore Splunk Enterprise and go to Splunk Apps.
2. This will open a new window with all the apps and extensions available for installation. Search for REST API Modular Input (found also on this page https://splunkbase.splunk.com/app/1546/) and hit Install.
Adding the HEIMDAL API into Splunk Enterprise
1. Go to Settings -> Data –> Data inputs -> REST and press Add new.
2. Fill in the following fields:
- REST API Input Name: The name you want for the job
- Activation Key: Follow the link under the text field to obtain an activation key (http://www.baboonbones.com/#activation).
- Endpoint URL: Insert the path to the API request (ex: https://dashboard.heimdalsecurity.com/api/heimdalapi/thirdparty )
- HTTP Method: Select GET
- Authentication Type: Select OAuth2
- OAUTH 2 Token Type (OPTIONAL): Type "Bearer" in case the authentication does not work
- OAUTH 2 Access Token: add your Personal API KEY from the Heimdal Dashboard -> Guide -> HS API KEY -> New API/Old API
- URL Arguments: insert the parameters for the API Requests. The required parameters are customerId, startDate and endDate (ex: customerId=197818,startDate=2016-01-03T12:54,endDate=2019-02-03T12:56). You can also add additional parameters, which are found under each API Statistics when you click on Show -> Optional Parameter Helper
* - Make sure that the arguments are followed by the sign “,” (comma), as shown in the Splunk examples, and not with the sign “&” (ampersand) as the examples from the Heimdal Dashboard because this will lead to the error message "User is not authorized to fulfill the operation." when executing the job. - Response Type: Select json
- Set sourcetype: Select Manual
- Source type: Type _json
These fields are required to configure Splunk to retrieve the data from Heimdal Security API requests. The other ones are optional and the Splunk help section can provide more details.
3. After you have completed all the fields you have to click on Next at the top of the page.
To check all the created jobs and to manage them, go to Settings -> Data -> Data inputs and click on REST.
Displaying the data ingested from the HEIMDAL Security API
To view the ingested results, access the Search & Reporting section or go to the Search tab.
Input the added API source (example: source="rest://API Test" where API Test is the REST API Input Name from above, more exactly the name of the job you created), then press on the Search button.
The data extracted from the Heimdal Security database will be displayed as in the screenshot below. From there you can manage it according to your specifications.
Here is a video tutorial on how to add the HEIMDAL API into Splunk Enterprise: