Splunk Integration
Stream privileged access data to Splunk for comprehensive SIEM analysis, real-time threat detection, security monitoring, and compliance reporting.
Enterprise SIEM Integration
Integrate privileged access data into your Splunk security operations with real-time streaming and advanced analytics.
Real-Time Audit Log Streaming
Stream all privileged access events, authentication logs, and session data to Splunk in real-time via HTTP Event Collector with automatic retry and buffering.
Pre-Built Security Dashboards
Leverage pre-configured Splunk dashboards for privileged access monitoring, threat detection, and compliance reporting with customizable views.
Advanced Security Analytics
Detect anomalous access patterns, lateral movement attempts, and potential security threats with machine learning-powered correlation searches.
Intelligent Alerting
Configure real-time alerts for failed access attempts, policy violations, suspicious commands, and unusual session patterns with automated response workflows.
Complete Splunk Integration
Get Started in Minutes
Follow these simple steps to integrate TigerAccess with Splunk Enterprise or Splunk Cloud.
Configure HTTP Event Collector
Create an HTTP Event Collector token in Splunk Enterprise or Splunk Cloud for TigerAccess to send audit logs and session events.
# In Splunk Web Interface:
1. Navigate to Settings > Data Inputs > HTTP Event Collector
2. Click "New Token"
3. Name: "TigerAccess PAM"
4. Source type: "_json"
5. Index: "tigeraccess" (create if needed)
6. Enable indexer acknowledgment (recommended)
7. Copy the token value
# Verify HEC is enabled globally:
Settings > Data Inputs > HTTP Event Collector > Global Settings
- All tokens: Enabled
- Enable SSL: Yes (recommended)Configure TigerAccess Integration
Add the Splunk integration in TigerAccess with your HEC endpoint, token, and event filtering preferences.
# Add Splunk integration
tacctl integrations add splunk \
--hec-url=https://splunk.example.com:8088 \
--hec-token=<your-hec-token> \
--index=tigeraccess \
--source=tigeraccess \
--sourcetype=tigeraccess:audit \
--enable-session-logs \
--enable-audit-logs \
--enable-auth-logs \
--batch-size=100 \
--flush-interval=5s
# Test the connection
tacctl integrations test splunk
# Enable the integration
tacctl integrations enable splunkInstall TigerAccess App for Splunk
Install the TigerAccess app from Splunkbase to get pre-built dashboards, searches, alerts, and data models for privileged access monitoring.
# Option 1: Install from Splunkbase
1. Visit Splunkbase and search for "TigerAccess"
2. Click "Install" and follow prompts
3. Restart Splunk
# Option 2: Manual installation
cd $SPLUNK_HOME/etc/apps
wget https://download.tigeraccess.com/splunk/tigeraccess-app-latest.tar.gz
tar -xzf tigeraccess-app-latest.tar.gz
$SPLUNK_HOME/bin/splunk restart
# Verify installation
$SPLUNK_HOME/bin/splunk display app tigeraccess
# Configure the app with your index name
Navigate to TigerAccess app > Settings > Index ConfigurationReal-World Security Scenarios
Security Operations Center (SOC)
Integrate privileged access data into your SOC workflows with real-time alerts for suspicious activities, failed access attempts, privilege escalation, and policy violations. Correlate with threat intelligence feeds for enhanced detection.
Compliance and Audit Reporting
Centralize all privileged access logs in Splunk for comprehensive audit trails, automated compliance reporting for SOC 2, PCI DSS, HIPAA, and ISO 27001, and evidence collection for auditors with customizable report templates.
Threat Hunting and Investigation
Correlate privileged access events with other security data sources in Splunk to identify advanced persistent threats, lateral movement attempts, credential theft, and insider threats using powerful search capabilities.
Incident Response and Forensics
Quickly investigate security incidents by searching and analyzing session recordings, command histories, access patterns, and user behavior in Splunk with timeline visualization and session replay capabilities.
Event Fields in Splunk
TigerAccess events include the following structured fields for comprehensive searching and analysis.
| Field | Description |
|---|---|
event_type | Type of event (auth, session, access, command, etc.) |
user | User who initiated the action |
action | Action performed (ssh, db, kube, rdp, etc.) |
resource | Target resource accessed |
outcome | Success or failure of the action |
session_id | Unique session identifier for correlation |
source_ip | Source IP address of the user |
destination_ip | Destination IP of the target resource |
timestamp | Event timestamp in ISO 8601 format |
duration | Session or action duration in milliseconds |
protocol | Protocol used (ssh, mysql, postgres, etc.) |
command | Command executed (for SSH and DB sessions) |
roles | User roles at the time of access |
mfa_verified | Whether MFA was verified for the session |
access_request_id | Associated access request ID if applicable |
risk_score | Calculated risk score for the event (0-100) |
Splunk Search Examples
Common search patterns to get you started with TigerAccess data in Splunk.
Failed SSH Access Attempts
index=tigeraccess event_type=session action=ssh outcome=failure | stats count by user, resource, source_ipHigh-Risk Database Commands
index=tigeraccess action=db command="*DROP*" OR command="*DELETE*" | table _time user resource commandAfter-Hours Access
index=tigeraccess earliest=-24h date_hour<8 OR date_hour>18 | stats count by user, resourceSession Duration Analysis
index=tigeraccess event_type=session | stats avg(duration) as avg_duration, max(duration) as max_duration by userFrequently Asked Questions
What data does TigerAccess send to Splunk?
TigerAccess sends comprehensive audit logs including authentication events, access requests, session activities, command executions, policy evaluations, certificate issuance, role changes, and security events. All data is structured in JSON format following the Splunk Common Information Model (CIM) for easy integration with existing Splunk apps and Enterprise Security.
Can I create custom alerts in Splunk for TigerAccess events?
Yes. All TigerAccess events are indexed in Splunk with rich metadata and can be used to create custom alerts, correlation searches, and dashboards. The TigerAccess app includes example searches and alert templates you can customize based on your security requirements. You can also integrate with Splunk Enterprise Security for advanced threat detection.
Does TigerAccess support both Splunk Enterprise and Splunk Cloud?
Absolutely. TigerAccess works seamlessly with both Splunk Enterprise (on-premises) and Splunk Cloud. Simply configure the appropriate HEC endpoint for your deployment. For Splunk Cloud, use your cloud HEC endpoint (e.g., https://inputs.splunkcloud.com:8088) and ensure your TigerAccess deployment can reach the Splunk Cloud infrastructure.
How is sensitive data handled in logs sent to Splunk?
TigerAccess automatically redacts sensitive data like passwords, secrets, API keys, and private keys before sending logs to Splunk. You can configure additional field masking rules based on your security and compliance requirements. Session recordings are stored separately in object storage and not sent to Splunk, only session metadata and command logs are forwarded.
What happens if the Splunk HEC endpoint is unavailable?
TigerAccess includes automatic retry logic with exponential backoff and local buffering. If Splunk is temporarily unavailable, events are buffered locally in a persistent queue and automatically retried. You can configure buffer size limits and retention policies. Critical audit logs are never lost and will be sent once connectivity is restored.
Ready to Secure Your Infrastructure?
Join thousands of security-conscious teams using TigerAccess to protect their critical infrastructure and AI agents.
No credit card required • 14-day free trial • Enterprise support available