We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

How can we Integrate Saviynt with Splunk SaaS for logging?

psejpal
New Contributor II
New Contributor II

I found this document https://saviynt.freshdesk.com/support/solutions/articles/43000666823-splunk-integration-guide . It looks like document is for Splunk on prem. We have Splunk SaaS. Has anyone done Saviynt integration with Splunk SaaS? Is any documentation available for that? 

 

9 REPLIES 9

rushikeshvartak
All-Star
All-Star

https://docs.saviyntcloud.com/bundle/SSM-Admin-v55x/page/Content/Chapter19-EIC-Integrations/Saviynt-...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Sivagami
Valued Contributor
Valued Contributor

As per the Splunk doc - https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Admin/SelfServiceAppInstall, Add-on installation should work on Splunk Cloud Deployments as well. Go ahead and try installing the SPL file in the documentation - https://saviynt.freshdesk.com/support/solutions/articles/43000666823-splunk-integration-guide on your Splunk instance.

Rishi
Saviynt Employee
Saviynt Employee

Can you review this option https://docs.splunk.com/Documentation/AddOns/released/Overview/SplunkCloudinstall#Install_add-ons_to...

and confirm if you are able to install the Saviynt addon to consume audit logs

psejpal
New Contributor II
New Contributor II

Splunk vendor has suggested that they are able to go ahead with the add-on install. We are still facing issue with following document to create Saviynt user with correct permissions. Options to set up permissions in the Sav role are not visible as per screenshot. Saviynt SIEM Integration : Customer Portal (freshdesk.com)

Splunk Integration Guide : Customer Portal (freshdesk.com)

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

Let me tell you I have spent hours working through this very issue for our Splunk issue and have mostly figured it out! The documentation seems very incomplete as the listed features for the role are not sufficient for the API calls to the runtime analytic to work correctly. I am still narrowing it down to the least permissions, but I do have it working now without using ROLE_ADMIN. If you share more specifics on where you are at on this I can try to provide guidance.

Sivagami
Valued Contributor
Valued Contributor

Create a new savrole - ROLE_SIEM and based on the analytics version you use to create the runtime analytics, add the below access in your access tab of the sav role.

Analytics V1 -> SUBMENU.WEBSERVICE.api_v5_fetchRuntimeControlsData

Analytics V2 -> SUBMENU.WEBSERVICE.api_v5_fetchRuntimeControlsDataV2

-Siva

Rishi
Saviynt Employee
Saviynt Employee

psejpal, can you confirm which option was used to configure the addon so that other community members can also benefit from this information.

Regarding the follow-up question on SAV role access, please refer following response - For webservices the access is fine grained and can be controlled to specific webservices that are required to support the functionality. In this case the minimum access needed is to invoke the result of Analytics webservice fetchRuntimeControlsDataV2 (assuming you would are using V2 ES analytics). So you have to configure this access in the SAV role assigned to the service account that you are using in splunk.

As a best practice to grant access to service account, limit it to the APIs that you will need for the use case that is being implemented. Do not use Role_Admin Sav role for service account as this will grant a lot more access than needed.

psejpal
New Contributor II
New Contributor II

Splunk has accepted that add on can be used on SaaS splunk as well .  It's not completed yet but I will update once vendor installs it and if it works. 

As far as the permission goes, I don't see fetchRuntimeControlsDataV2 permission in the list at all. So far now we have provided some more permissions and slowly we will have to reduce it. 

Rishi
Saviynt Employee
Saviynt Employee

psejpal, just noticed that you are on v5.5 sp3, so the fetchRuntimeControlsDataV2 API is not applicable for your version. (The list of APIs is available in the following document https://documenter.getpostman.com/view/1797923/TVsvi7G2?version=latest#40ca8455-ba53-4c04-87f7-146ad...)

Search fetchRuntimeControlsData, you should be able to find it.