# Endpoint Central Cloud integration with Splunk Enterprise ## Table of contents - [Installing the ManageEngine Endpoint Central add-on in Splunk](#installing-the-manageengine-endpoint-central-add-on-in-splunk) - [Configuring the app in Splunk for the Endpoint Central](#configuring-the-app-in-splunk-for-the-endpoint-central) - [Generating an Authentication File](#generating-an-authentication-file) - [Creating an input with the Endpoint Central configuration](#creating-an-input-with-the-endpoint-central-configuration) - [Viewing data in Splunk](#viewing-data-in-splunk) When Endpoint Central is integrated with Splunk, both vulnerability data and audit logs are forwarded to Splunk. This provides administrators with a consolidated view of all detected vulnerabilities and records of actions performed through the console, such as configuration changes, deployments, and administrative activities. Splunk’s analytics can then be used to monitor these events, identify patterns or anomalies, and generate reports and dashboards for auditing, compliance, and security monitoring purposes. **Note:** - Currently, only Vulnerability data and Action Log Viewer data from Endpoint Central are posted to Splunk. - Vulnerability data is applicable only for the Endpoint Central with Security edition or Vulnerability Add-On purchased. ## Installing the ManageEngine Endpoint Central add-on in Splunk - Navigate to the **Splunk Home** page. - In the Header menu, click on **Apps**. - Select **Find More Apps** to be redirected to Splunk's Marketplace. - Search for the **ManageEngine Endpoint Central Add-On** app. - Click **Download** and enter your username and password. - Click **Agree and Install**. Now you can access the application from the Splunk home page or the Apps menu. ![Splunk Apps Menu](https://www.manageengine.com/products/desktop-central/images/ec-cd-splunk-1.png) ![Splunk Add-On Search](https://www.manageengine.com/products/desktop-central/images/ec-cd-splunk-base-app.png) ## Configuring the app in Splunk for the Endpoint Central - Navigate to the **Splunk homepage** and click on the **Apps** option in the header menu. - Select the **ManageEngine Endpoint Central Add-On** app. - Navigate to **Configurations** and click the **Add** button. ![Splunk App Configurations Menu](https://www.manageengine.com/products/desktop-central/images/ec-cd-splunk-2.png) - In the pop-up window, choose **Endpoint Central Cloud** from the **Deployment Type** dropdown menu. ![Splunk Deployment Type Selection](https://www.manageengine.com/products/desktop-central/images/ec-cd-splunk-3.png) - For guidance on the **Endpoint Central Instance URL** and **Zoho Accounts URL**, refer to this document: [https://www.manageengine.com/products/desktop-central/api/cloud_index.html](https://www.manageengine.com/products/desktop-central/api/cloud_index.html) Fill in the appropriate values based on your data center. **Note** The Zoho Accounts URL is displayed only if a custom domain is configured for your Endpoint Central Cloud instance. ![Splunk Zoho Accounts URL Field](https://www.manageengine.com/products/desktop-central/images/ec-cd-splunk-4.png) ## Generating an Authentication File - To generate the authentication file, open the developer console based on your data center as specified in this document: [https://www.manageengine.com/products/desktop-central/api/cloud_index.html](https://www.manageengine.com/products/desktop-central/api/cloud_index.html) Developer console: [https://api-console.zoho.com/](https://api-console.zoho.com/) - Log in with your Endpoint Central Cloud account. - Select **Self Client**, click on **Create Now**, and then click **Create** to enable the self client with confirmation. ![Splunk Self Client Setup](https://www.manageengine.com/products/desktop-central/images/ec-cd-splunk-5.png) ![Splunk Self Client Confirmation](https://www.manageengine.com/products/desktop-central/images/ec-cd-splunk-6.png) - To generate the Authentication file, click on the **Generate Code** tab in the **API Developer Console**. - Copy the below scope and paste it in the **Scope** section. ``` DesktopCentralCloud.SplunkIntegration.READ,DesktopCentralCloud.SplunkIntegration.CREATE,DesktopCentralCloud.VulnerabilityMgmt.READ,DesktopCentralCloud.Audit.READ ``` - Set the time duration to **10 minutes**, provide a description, and then click the **CREATE** button to create the authentication file. - Download the file as JSON, upload it in Splunk, and then click **Add** to complete the configuration. ![Splunk Authentication File Upload](https://www.manageengine.com/products/desktop-central/images/ec-cd-splunk-7.png) ![Splunk Auth File Added Confirmation](https://www.manageengine.com/products/desktop-central/images/ec-cd-splunk-8.png) ## Creating an input with the Endpoint Central configuration - Navigate to the Inputs tab in Splunk, click on **Create New Input**, and select the log data that you need from Endpoint Central. ![Splunk New Input Creation](https://www.manageengine.com/products/desktop-central/images/ec-cloud-splunk-16.png) - In the pop-up window, enter all the required information. From the **Global Account** dropdown, select the Endpoint Central configuration. - Then, click the **Add** button. If all inputs are valid, the input will be added successfully. **Valid Inputs:** - **Name**: Unique name without any white spaces. - **Interval**: Must be in seconds. - For Vulnerability data: Between 3600 seconds (1 hour) and 86400 seconds (24 hours). - For Action log viewer data: Between 300 seconds (5 minutes) and 86400 seconds (24 hours). - **Index**: Default. - **Global Account**: Endpoint Central configured in the configuration section. ![Splunk Input Validation](https://www.manageengine.com/products/desktop-central/images/ec-cloud-splunk-17.png) ## Viewing data in Splunk - Once an input is configured, synchronization with the Endpoint Central instance will begin. - Navigate to the **Search** tab in the app. ![Splunk Search Tab](https://www.manageengine.com/products/desktop-central/images/ec-op-cloud-splunk-search-1.png) - Click on **Data Summary** and navigate to the **Sourcetypes** tab. ![Splunk Data Summary Sourcetypes](https://www.manageengine.com/products/desktop-central/images/ec-op-cloud-splunk-search-2.png) - Search for the required Sourcetype from below and click on it to view the data. - Vulnerability data sourcetype: `manageengine:ec:vulnerability` - Action log viewer data sourcetype: `manageengine:ec:actionlogdata` ![Splunk Vulnerability and Action Log Data](https://www.manageengine.com/products/desktop-central/images/ec-op-cloud-splunk-search-3.png)