Splunk
Forward ARMO Security & Runtime Events to Splunk
Overview
This guide explains how to integrate ARMO Security with Splunk Enterprise or Splunk Cloud to forward runtime, cloud, and Kubernetes security events using Splunk HTTP Event Collector (HEC).
Once connected, all ARMO runtime threat detections are sent to Splunk, enabling SOC teams to correlate them with application logs, cloud activity, and infrastructure telemetry.
Prerequisites
Before configuring the integration, ensure you have:
- Access to your Splunk account
- Permission to create HTTP Event Collector (HEC)
- Access to the ARMO Platform with Manager or Admin permissions
Step 1 — Generate a Splunk HEC Token
ARMO sends data to Splunk using an HTTP Event Collector (HEC) token.
1.1 Open the HTTP Event Collector
In Splunk:
Settings → Data Inputs → HTTP Event CollectorClick Global Settings.
1.2 Configure Global Settings
Set:
| Setting | Value |
|---|---|
| All Tokens | Enabled |
| Default Source Type | _json |
| Enable SSL | ✅ Enabled |
Click Save.
1.3 Create a New Token
Click New Token.
Select Source
| Field | Value |
|---|---|
| Name | ARMO_Events_Forwarder |
Click Next.
Input Settings
| Field | Value |
|---|---|
| Source Type | _json |
Click Next.
Review
Confirm settings and click Submit.
1.4 Copy the Token ID
After creation, Splunk generates a Token ID. 📋 Copy this token — you will need it in ARMO.
Step 2 — Configure Splunk in the ARMO Platform
- In the ARMO Platform, navigate to: Settings → Integrations → SIEM Integrations
- Click Connect on the Splunk card, then Add Integration.
Fill in the following fields. Click Add.
| Field | Description |
|---|---|
| Name | Friendly name (e.g., Splunk-Prod) |
| URL | https://mycompany.splunkcloud.com |
| Port | 8088 |
| Token | Paste the HEC Token ID from Splunk |
Step 3 — Validate the Integration
-
In ARMO, click Send Test Message (This simulates a security event)
-
Wait up to 10 minutes
-
In Splunk, search:
ARMOAlerts_CL
| sort by TimeGenerated descYou should see the ARMO test event appear.
What Events Are Streamed?
https://hub.armosec.io/docs/siem#/
Troubleshooting
| Issue | What to Check |
|---|---|
| No data in Splunk | Verify port 8088 is open between ARMO and Splunk |
| 403 or 401 errors | Token is invalid or disabled |
| SSL errors | Ensure Splunk HEC has SSL enabled |
| Events delayed | Allow up to 10 minutes for indexing |
Summary
By completing this setup, you can:
- Centralize ARMO alerts and runtime events in Splunk
- Correlate multi-layer signals with infrastructure logs
- Build dashboards, alerts, and workflows
- Strengthen incident investigation and response
- The Splunk integration provides unified, real-time visibility into your Kubernetes and cloud security operations powered by ARMO’s Threat Detection & Response.
Updated 4 days ago