Splunk Integration

Splunk Integration: Agent Security SIEM

Enterprise SIEM integration for agent security events

Forward Rune security events to Splunk via HTTP Event Collector (HEC) for enterprise SIEM integration. Correlate agent security threats with your existing security data — network logs, endpoint detection, and access control events. Build Splunk dashboards and alerts that give your SOC team visibility into AI agent threats.

Add Security in Minutes

Configure in Rune Dashboard → Settings → Notifications

// In Rune dashboard → Settings → Notifications
// Add a webhook channel pointing to Splunk HEC:

{
  "name": "Splunk HEC",
  "type": "webhook",
  "url": "https://YOUR_SPLUNK:8088/services/collector/event",
  "headers": {
    "Authorization": "Splunk YOUR_HEC_TOKEN",
    "Content-Type": "application/json"
  },
  "body_template": {
    "event": {
      "source": "rune-adr",
      "sourcetype": "rune:security_event",
      "agent_id": "{{agent_id}}",
      "threat_type": "{{threat_type}}",
      "severity": "{{severity}}",
      "risk_score": "{{risk_score}}",
      "description": "{{description}}"
    }
  }
}

Full setup guide in the documentation

Why Splunk Agents Need Runtime Security

Enterprise security teams operate from a SIEM. If agent security events aren't in Splunk, they're invisible to the SOC. Integrating Rune with Splunk ensures agent threats are part of your unified security view and compliance audit trail.

Top Threats to Splunk Agents

criticalSOC Blind Spots

AI agents represent a new attack surface that most SOC dashboards don't cover. Without Splunk integration, prompt injection and data exfiltration attempts go unmonitored.

highCompliance Gaps

Regulatory frameworks increasingly require monitoring of AI systems. Agent security events in Splunk provide the audit trail needed for SOC 2, GDPR, and emerging AI regulations.

highCross-Domain Correlation

An attacker might combine network-level and agent-level attack vectors. Splunk correlation rules can detect multi-vector attacks that span traditional and AI security domains.

What Rune Does for Splunk

HTTP Event Collector

Events are forwarded to Splunk via HEC with structured JSON payloads. Compatible with Splunk Enterprise and Splunk Cloud.

Custom Sourcetype

Events use the rune:security_event sourcetype for easy filtering and dashboard creation. Field extraction is automatic.

SIEM Correlation

Correlate agent security events with network logs, authentication events, and endpoint detection data for comprehensive threat analysis.

Compliance Reporting

Build Splunk reports and scheduled searches that demonstrate agent security monitoring for compliance audits.

Common Splunk Use Cases

SOC team monitoring of AI agent threats
Compliance audit trails for AI security monitoring
Cross-domain threat correlation (network + agent)
Executive dashboards for AI security posture

Other Integrations

Datadog

Unified observability for agent security and infrastructure

PagerDuty

Route agent security incidents to your on-call team

Sentry

Track blocked agent actions as Sentry errors

Secure your Splunk agents today

Add runtime security to your Splunk agents in under 5 minutes. Free tier includes 10,000 events per month.

Start Free — 10K Events/Month Integration Docs