Access Splunk Cloud Connect in Splunk Enterprise Security to access Cloud extensions

Use Splunk Cloud Connect to connect on-premises deployments of Splunk Enterprise Security with Cloud-native, Splunk managed, or Splunk Cloud Services (SCS) security extensions such as Threat Intelligence Management (TIM), Detection Studio (DS), and so on. For troubleshooting common UI issues, see Troubleshoot common issues using Splunk Cloud Connect.

You can use the Splunk Enterprise Security user interface to access Cloud connected services despite being on an on-premise deployment, in addition to managing the Cloud Connection and Cloud Product activation.

If you have "Read Only" access for Cloud Connect interface, you can view the Cloud product connection details and status with the cloud_connection_product_get capability and the license_read capability. If you have full Cloud Connect access, you have the following capabilities:
  • cloud_connection_product_get
  • license_read
  • license_edit

Connect an on-premise Splunk Enterprise Security deployment to Cloud using Splunk Cloud Connect

Perform the following tasks to connect an on-premises Splunk Enterprise Security to Cloud using Splunk Cloud Connect:

  1. (Optional) Set up proxy settings for your Splunk environment using the link in General settings of Splunk Enterprise Security.
  2. Access Splunk Cloud Connect in Splunk Enterprise Security
  3. Follow the prompts to provision tenants and authenticate connection.

Set up proxy settings

As a Splunk Enterprise Security administrator, you might need to set up proxy settings before you can use Splunk Cloud Connect:

Follow these steps to configure and manage proxy settings in Splunk Enterprise Security:

Note: Setting up or updating proxy settings impacts the entire Splunk Platform deployment.
  1. In the Splunk Enterprise Security app, select the Configure tab.
  2. Select General settings and then select Network proxy.
  3. Enter values for proxy servers as required based on the following table:
    Field Description Example
    HTTP proxy

    Proxy server for HTTP requests sends data in plain text, making it vulnerable to interception.

    		 http://proxy.internal.mycompany. com:8080
    HTTPS proxy Proxy server that handles encrypted traffic between a client and a web server to establish a secure tunnel. If not configured, HTTP proxy server is used. https://proxy.internal.mycompany. com:8443
    No proxy Comma separated list of hosts and IP addresses that would bypass proxy server settings. Localhost, 127.0.0.1, 10.0.0.0/8 internal.mycompany.com

Access Splunk Cloud Connect in Splunk Enterprise Security

Prerequisites
  • Ensure that you have the necessary access permissions to set up Splunk Cloud Connect.
  • Ensure that you have set up proxy server settings in Splunk Enterprise Security, if required.
  • Ensure a thorough understanding of your organization’s data flow and approval processes.
Follow these steps to access Splunk Cloud Connect in Splunk ES:
  1. In the Splunk Enterprise Security app, select the Configure tab.
  2. Select General settings and then select Cloud Connect.
  3. Select Establish Cloud Connect. Alternatively, you can also use All configurations to access Splunk Cloud Connect in Splunk Enterprise Security.
    Note: Connection to Splunk Cloud Connect might take approximately 5 minutes. If the connection is not established, check your network settings, firewall rules, and proxy settings.
    Note: Audit logs for Splunk Cloud Connect are added to a KV Store collection despite a potential performance slowdown to surface the last 10 events and avoid running a search.

Provision tenants to configure Splunk Cloud Connect

After Splunk Enterprise Security is connected to Splunk Cloud Connect, you must provision Cloud tenants such as an AWS Account subscription to enable resource provisioning.

Follow these steps to provision tenants:
  1. In Establish Cloud Connect, enter your Preferred tenant identifier
    Note: The preferred tenant identifier must begin with one or more lowercase alphanumeric characters​, which is optionally followed by hyphen-separated segments of length between 3 and 63 characters. Domain URLs and GUIDs are not supported. Additionally, the segments cannot start or end with a hyphen.
    For example, mytenant, my-tenant, t-name-123​.
  2. Select an appropriate Splunk Cloud Region for your connection. For example: US-East; US-West
  3. Enter an email address associated with your Splunk purchase account or the Salesforce (SFDC) email associated with your Splunk license account.
  4. Select the checkbox to agree to Splunk terms.
  5. Select Next.
  6. Select Confirm and continue to confirm your Cloud Connect details.
    Note: A verification code is sent to the email address specified.

Authenticate the connection with Splunk Cloud Connect

If the tenant provisioning is successful, you get a 36-character verification code with hyphens that you can use to authenticate the connection. The verification code is valid for 15 minutes.
Note: Requesting that the verification code is resent, increments the tenant name by a single digit. When you request the verification code for the first time, the request includes the tenant name as follows: cmp-<user entered string for tenant>-01 . When you request the verification code again, the tenant name whose OTP you used to establish trust with Splunk Cloud Services (SCS) is incremented by a single digit.
Follow these steps to authenticate the connection of your Cloud tenant with Splunk Cloud Connect:
  1. Check your administrative contact email for a verification code.
  2. Enter the verification code. For example: f5aae933-33f5-4005-9289-5e76a5e33de5
  3. Select Next.
  4. If the verification code successfully authenticated your Cloud connection, you go to the activation stage. stage. If the verification code did not work, you can contact Splunk Support or request to resend the code. You can also stop the process and start over. For troubleshooting common UI issues, see Troubleshoot common issues using Splunk Cloud Connect.
Note: If there is an error during health checks, a temporary error log is added, which must be deleted from the disk. The format of the error is as follows:ERROR utils.scs_utils: Failed to delete temporary key file /tmp/tmpx7k2m_9q.pem: <ERROR MSG>; manual cleanup may be needed. . If the authentication process is successful, your Cloud connection is activated and your Cloud resources are provisioned.