Splunk Integration

Forward Noxys AI interaction events to Splunk via HTTP Event Collector (HEC) for centralized security monitoring and analysis.

Overview

This integration enables:

• Real-time event streaming from Noxys to Splunk
• Custom searches and dashboards on AI interaction data
• Automated alerting based on policy violations
• Compliance reporting combining AI and security data

Data Flow:

Noxys Event → Webhook → Splunk HEC → Splunk Indexer → Splunk Search → Alerts & Dashboards

Prerequisites

• Splunk Enterprise or Cloud
• HTTP Event Collector (HEC) enabled
• Splunk admin access
• Noxys admin role

Step 1: Create HEC Token

Enable HTTP Event Collector and create a token.

1. Splunk → Settings → Data Inputs → HTTP Event Collector
2. Click New Token
3. Configure:
   • Name: Noxys AI Firewall
   • Source name override: noxys
   • Default Index: main (or create custom index)
4. Next
5. Choose index:
   • Create custom: noxys_interactions
   • Or use existing: security
6. Review settings
7. Create Token
8. Copy the token value (shown only once!)

Step 2: Verify HEC is Enabled

Ensure HTTP Event Collector is globally enabled.

1. Settings → Data Inputs → HTTP Event Collector
2. In the toolbar, verify All Tokens is enabled (toggle should be ON)
3. Note the HEC URL and Port:
   • Cloud: https://your-instance.splunkcloud.com:8088
   • Enterprise: https://your-splunk-server.com:8088

Step 3: Configure in Noxys

Set up webhook forwarding to Splunk HEC.

1. Noxys Admin Panel → Integrations → Webhooks
2. Click Create Webhook
3. Configure:

Field	Value
URL	https://your-instance.splunkcloud.com:8088/services/collector
Events	Select: interaction.policy_violated, interaction.high_risk, alert.severity_critical
Headers	Add custom header: Authorization: Splunk <token-from-step-1>
Description	"Splunk HEC Integration"

4. Click Create

Step 4: Test Connection

Verify events are flowing to Splunk.

1. In Noxys: Click webhook → Test
2. In Splunk:
   • Navigate to: Search & Reporting
   • Search: source="noxys"
   • Should see test event
3. Create a test interaction in Noxys
4. Should appear in Splunk within seconds

Step 5: Create Index (Optional)

Create dedicated index for Noxys data.

1. Settings → Indexes → New Index
2. Configure:
   • Index name: noxys_interactions
   • Max KB: 500000 (reasonable default)
   • Max Raw Size MB: 1000
3. Save
4. Update HEC token to use this index (Step 1)

Step 6: Create Searches

Build searches to analyze Noxys data.

Search 1: High-Risk Interactions (24h)

source="noxys" event_type="interaction.high_risk"
| stats count by platform_id, risk_score
| sort - count

Search 2: Policy Violations by Platform

source="noxys" event_type="interaction.policy_violated"
| stats count by data.platform_id as platform
| rename platform as Platform, count as "Violation Count"

Search 3: Top Users with Violations

source="noxys" event_type="interaction.policy_violated"
| stats count by data.user_id
| rename data.user_id as User, count as Violations
| top 10 User

Search 4: Blocked Interactions Timeline

source="noxys" event_type="interaction.policy_violated"
| search "policy_decisions{}.action"=block
| timechart count by data.platform_id

Step 7: Create Alerts

Set up automated alerts for critical events.

Alert: Multiple Violations from One User

1. Search → Run search:

source="noxys" event_type="interaction.policy_violated"
| stats count as violation_count by data.user_id
| where violation_count > 10

2. Save as Alert
3. Configure:
   • Alert name: "High violation user detected"
   • Frequency: Every hour
   • Trigger condition: When violation_count > 10
4. Add actions:
   • Send email to security@acme.fr
   • Create incident in ServiceNow
5. Save

Alert: Blocked Access to Financial Data

1. Search:

source="noxys" event_type="interaction.policy_violated"
| search "data.classifications{}.type"=CREDIT_CARD OR "data.classifications{}.type"=IBAN
| search "policy_decisions{}.action"=block

2. Save as alert, trigger immediately
3. Add actions to escalate

Step 8: Build Dashboards

Create visualization dashboards.

1. Dashboards → Create Dashboard
2. Add panels:

Panel 1: Interaction Volume (24h)

source="noxys" | timechart count

Panel 2: Policy Violations by Platform

source="noxys" event_type="interaction.policy_violated"
| stats count by data.platform_id
| chart count by data.platform_id

Panel 3: Risk Score Distribution

source="noxys"
| bucket data.risk_score range=0-0.2, 0.2-0.5, 0.5-0.8, 0.8-1.0
| stats count by data.risk_score
| chart count by data.risk_score

Panel 4: Top Classifications Detected

source="noxys"
| mvexpand data.classifications{}
| stats count by "data.classifications{}.type"
| top 10 "data.classifications{}.type"

Panel 5: Blocked Interactions

source="noxys" event_type="interaction.policy_violated"
| search "policy_decisions{}.action"=block
| stats count as blocked_count, latest(_time) as last_violation by data.user_id

Step 9: Verify Data

Confirm events are indexed and searchable.

1. Search & Reporting
2. Search: source="noxys" earliest=-1h
3. Should show recent events with fields:
   • event_type — interaction, alert, policy
   • data.platform_id — chatgpt, claude, etc.
   • data.risk_score — numeric risk
   • data.classifications{} — PII types detected
   • data.policy_decisions{} — Block/Coach/Log actions

Advanced: Log Forwarding

Forward Splunk indexed data to other systems.

1. Settings → Forwarding and receiving
2. Configure destination:
   • Elasticsearch
   • S3
   • Syslog
   • HTTP endpoint
3. Create forwarding rule:
   • Source index: noxys_interactions
   • Destination: Your endpoint
4. Verify data flows through

Troubleshooting

Events Not Appearing in Splunk

1. Verify HEC token:
   • Check token is active (not disabled)
   • Token may be single-use; test with Splunk verification
2. Check webhook is active:
   • Noxys: Integrations → Webhooks → Status
3. Review webhook deliveries:
   • Noxys: Webhooks → Deliveries
   • Look for HTTP status code
4. Test HEC connectivity:

curl -k https://your-splunk.com:8088/services/collector \
  -H "Authorization: Splunk <token>" \
  -d '{"event":"test"}'

5. Check Splunk HEC logs:
   • Splunk: Search & Reporting → source::splunkd token=<token>

Searches Return No Data

1. Verify event source matches:
   • Search: index=main source="noxys"
   • If no results, check HEC index configuration
2. Verify event format:
   • Check raw events for JSON structure
   • Ensure required fields are present
3. Check time range:
   • Default search: last 24 hours
   • Try: earliest=-7d for wider window

High Latency (Events delayed)

1. Check HEC input load:
   • Settings → Data Inputs → HTTP Event Collector → Monitor
   • Look for queued events
2. Increase HEC throughput:
   • Settings → Data Inputs → HTTP Event Collector → Edit
   • Increase maxKBps if rate-limited
3. Check network latency:
   • Ping Splunk HEC endpoint
   • Check firewall rules

Cost Optimization

Splunk costs are based on daily indexing volume:

• Noxys event size: ~2-5 KB per event
• Daily volume estimate: 100 events/day = 200-500 KB
• Monthly estimate: 6-15 MB
• Typical Splunk cost: $100-300/month (depends on plan)

To reduce costs:

1. Filter events before sending (send only critical ones)
2. Increase webhook batch size
3. Archive old logs to S3
4. Use Splunk Cloud vs. Enterprise (lower cost)

Best Practices

1. Filter events wisely:

   • Send: policy_violated, high_risk, alert.critical
   • Skip: interaction.created (too verbose)

2. Use custom index:

   • Separates Noxys data from security events
   • Easier to manage retention

3. Implement field extraction:

   • Create props.conf for automatic field parsing
   • Extract platform_id, risk_score, user_id, action

4. Monitor HEC health:

   • Create alert: "HEC connectivity lost"
   • Alert on missing events

5. Archive data appropriately:

   • Hot: 7 days
   • Warm: 30 days
   • Cold: 90 days
   • Frozen: Delete or archive to S3

Splunk Configuration Files

props.conf (Field Extraction)

[source::noxys]
SHOULD_LINEMERGE = false
KV_MODE = json
TRANSFORMS = noxys_routing

[noxys_interactions]
SHOULD_LINEMERGE = false
KV_MODE = json

transforms.conf (Routing)

[noxys_routing]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = noxys_interactions

Support & Resources

• Splunk Docs: https://docs.splunk.com/
• HEC Guide: https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
• Noxys Support: support@noxys.eu
• Splunk Community: https://community.splunk.com/

Related Integrations

• Microsoft Sentinel — Microsoft SIEM
• Sekoia XDR — European XDR
• Webhooks API — Custom webhook configuration