Overview
The Splunk integration (INT-001) provides bi-directional synchronization between CaseBender and Splunk, including Splunk Enterprise Security (ES) notable events.Inbound Ingestion
Outbound Sync
/services/collector/event,
usually port 8088). Notable pull and close-out use the management REST API
(usually port 8089). On-prem Splunk commonly uses self-signed certificates on
both — set Verify SSL off if needed (see below).Capabilities
Prerequisites
Splunk access
edit_notable_events capability. For HEC
forwarding you need an HTTP Event Collector token.Network egress
:8088) and, for
REST features, the management endpoint (e.g. :8089).CaseBender administrator role
Part A — Prepare Splunk
Create an HEC token (for outbound forwarding)
Create an authentication token (for REST features)
edit_notable_events to close notables and search
access to your notable index.Part B — Configure the integration in CaseBender
Open the integration catalog
Choose a purpose
purpose to Inbound, Outbound, or Bidirectional to show the
relevant configuration cards.Configure inbound webhook (push)
sk_splunk_).
In Splunk, add a Webhook alert action that posts to the URL with header
Authorization: Bearer <API_KEY>.Configure the Enterprise Security REST connection (optional)
https://splunk:8089) and credentials:Enable automatic polling (optional)
Configure outbound (HEC + notable close)
Test the connection
Inbound (automatic polling)
With Automatic polling enabled, CaseBender periodically runs your SPL through the Enterprise Security REST search API and ingests the results on its own — no Splunk-side alert action or webhook is required.How it works
Scheduled search
pollingIntervalMinutes), CaseBender runs searchQuery over the window
since the last cursor via the streaming export endpoint:pollingInitialLookbackHours are imported.Cursor + deduplication
_time it has seen, so
each run only fetches new activity. Results are also deduplicated by notable event_id
(falling back to the search sid), so a notable is never ingested twice — even if the
polling window overlaps.Normalization
urgency,
building the title/description, and extracting observables and host assets. The notable
event_id is stamped onto the alert so outbound close-out can find it later.autoCreateCases enabled, each polled notable becomes a Case automatically
(deduplicated by notable ID) — this matches the “pull notable → work it as a case” flow.
With it disabled, results land in the Alerts inbox for manual promotion. Either way the
Splunk link is preserved so closing the case can close the notable.NO_PROXY on proxy-only networks.Inbound (webhook / push)
As an alternative (or in addition) to polling, a Splunk alert action (or any webhook sender) can push search results to the CaseBender ingestion endpoint.Endpoint
Authorization: Bearer <key> (the x-api-key header is also accepted). Splunk webhook API
keys are prefixed with sk_splunk_.
Payload example
Splunk’s webhook alert action posts aresult object plus search metadata:
202 Accepted:
Processing pipeline
Ingestion proxy
/api/v1/ingest/splunk validates the source and forwards the request to the ingestion
service (POST /v1/sources/splunk).Queue publish
Normalization
Data mapping reference
Severity mapping (Splunkurgency → CaseBender 1–4):
rule_title → search_name → alert_name → signature →
message. Tags applied on ingest include splunk, siem, notable (for ES notables),
domain:<security_domain>, and app:<app>. Ingested records default to TLP:2 and
PAP:2.
Outbound: HEC audit forwarding
When enabled withsyncCaseUpdates / syncCaseClose, CaseBender posts JSON audit events to
your HEC endpoint so case activity is searchable in Splunk:
source: casebender:case (or casebender:alert) and sourcetype: _json
to the configured index.
Outbound: Closing the Splunk notable (write-back)
When a case is closed in CaseBender, thecase_closed event is dispatched to the Splunk
handler. If the case is linked to a Splunk notable and closeNotableOnCaseClose is on,
CaseBender closes the notable through the ES REST API.
How the linked notable is resolved
The ingest pipeline stampssplunkEventId (the notable event_id) and the ingesting
integration ID onto each Splunk alert’s customFields. On case close, the handler collects
those event IDs from the alerts linked to the case, so a case promoted from a polled or
webhook notable resolves automatically — regardless of how it was created.
What is sent
CaseBender calls the ESnotable_update endpoint:
statusdefaults to 5 (Closed) and is configurable vianotableStatusOnClose.commentis:Case <id> closed in CaseBender with resolution: <resolution>.
syncCaseClose (HEC audit event) and closeNotableOnCaseClose (REST notable write-back)
are independent per-integration toggles. Notable write-back requires the Enterprise Security
REST connection and a role with the edit_notable_events capability.Security considerations
- Token handling — HEC tokens and REST tokens/passwords are stored in the integration settings; rotate them on your organization’s schedule and update the integration when you do.
- Least privilege — the REST role only needs search access to your notable index and
edit_notable_events. HEC tokens should target a dedicated index. - Webhook keys — treat the
sk_splunk_API key as a secret. Rotate it if exposed and update the Splunk alert action. - TLS — prefer trusted certificates. If you must use self-signed certs (common on-prem), Verify SSL can be turned off; the connection is still encrypted but the certificate is not validated. Restrict egress to your Splunk HEC and management endpoints.
Troubleshooting
Test Connection fails or times out
Test Connection fails or times out
8088). If Splunk uses a self-signed certificate, turn Verify SSL off —
otherwise the request fails with a certificate error.Polling is enabled but no notables appear
Polling is enabled but no notables appear
8089), and that there are results newer than the cursor. On first run only
results within pollingInitialLookbackHours are imported. Check the integration’s last
sync status for the specific error.Case close doesn't close the Splunk notable
Case close doesn't close the Splunk notable
closeNotableOnCaseClose is on and the ES REST connection is configured with a
role that has edit_notable_events. The case must be linked to a Splunk notable — closing
a case promoted from a polled/webhook notable resolves the link automatically. Check the
case timeline for the sync result.notable_update returns 403 or 404
notable_update returns 403 or 404
403 means the REST role lacks the edit_notable_events capability. A 404 usually
means the URL isn’t the Enterprise Security management endpoint — confirm restUrl points
at Splunk’s management port with ES installed.Self-signed certificate errors behind a proxy
Self-signed certificate errors behind a proxy
NO_PROXY so the connection goes
direct, and turn Verify SSL off if the cert is self-signed.