Splunk integration

Find more info on what you can achieve by integrating CybSafe to Splunk

Robert Shough avatar
Written by Robert Shough
Updated over a week ago

Integrating with Splunk is easy all you need to do is to follow the setup guide on our Integrations page.

How to get setup?

Our setup is essentially in two parts;

  • Install an add on.

  • Then configure the behaviour events to be sent to CybSafe.

Install the Add on

First follow the steps to install the add on so you can see the CybSafe App in Splunk.
All instructions can be found in the Splunk section on our Integrations page.

Configure your integration to send events to Cybsafe

Use our pre built connector or map a specific piece of data to one of our security behaviours.


Using pre-built connector

  1. Create a search which isolates data from a supported data source (currently Management Activity data as obtained from the Splunk Add-On for Microsoft 365)

  2. Create a new alert based on this search

    Image showing the New Search setup screen in Splunk


  3. Add the custom trigger action "Forward MS 365 Management Event" to the alert.

    Image depicting the setup of the alert to forward to CybSafe


  4. Click "Save".

Reporting identified behaviour events

  1. Identify the data of interest in a normal Splunk search.

  2. Transform the data to extract;

    1. A field user_email which contains the email address of the cybsafe user associated with the event.

    2. A field timestamp which contains the time in ISO 8601 format at which the event occurred.

      *Hint: the table and rename search functions are very useful.

  3. Set up an alert based on this transformed search.

  4. Add the custom trigger action “Report security behaviour event”.

    1. Select the appropriate security behaviour if available.

    2. Choose whether the event identified is positive of negative.

      Image showing the configuration of the search alert and mapping to a CybSafe security behaviour


  5. Click "Save".

Supported security behaviours

The following security behaviours can be mapped using the reporting identified behaviour events setup.

Security Behaviours

  • SB009 Reporting old accounts

  • SB010 Doesn't share passwords

  • SB013 Reporting security incidents

  • SB014 Asking for help

  • SB015 Completing security awareness training

  • SB022 Installs antivirus on all compatible devices

  • SB023 Enabling firewalls

  • SB032 Doesn't plug unknown devices into work devices

  • SB091 Does not forward work information to personal email addresses

  • SB150 Does not use a password that has been compromised in a data breach

  • SB151 Does not use weak passwords

  • SB152 Does not log in with shared credentials

  • SB153 Does not run a file from an unknown source

  • SB154 Does not visit unauthorised websites

  • SB155 Does not download content or material from unauthorised websites

  • SB156 Discloses credentials to a phishing site

  • SB158 Downloads a file from an unknown source

  • SB159 Does not click a phishing link

  • SB161 Reports a suspected phishing email

  • SB163 Does not open a phishing email

  • SB164 Does not open an attachment in a phishing email

  • SB167 Reports a suspected phishing message

  • SB169 Does not open an attachment in a message from an unknown source

  • SB173 Does not use work email addresses for non-work purposes

  • SB174 Does not log in from a device running out of date operating software

  • SB175 Does not log in from a rooted mobile device

  • SB178 Does not share a desktop device

  • SB182 Does not send sensitive information out of the business (email or otherwise)

  • SB184 Does not share a file containing confidential information

  • SB185 Does not post confidential information in a public messaging channel

  • SB186 Does not post PII in a public channel

  • SB187 Does not share a file containing PII

  • SB188 Does not share sensitive information with unauthorised recipients

  • SB192 Does not disable MFA

  • SB195 Completes policy attestation

  • SB196 Doesn't share documents or files containing malicious links

  • SB198 Does not use unapproved device for work purposes

  • SB203 Uses biometrics to access online account

  • SB204 Uses biometrics to access mobile device

  • SB209 Uses a stand-alone password manager application

  • SB210 Saves passwords or passphrases into a browser

Still have questions?

If you still have questions, you can contact the CybSafe team via [email protected]. We’re on hand to help resolve any further issues!

Did this answer your question?