--- title: "Splunk SIEM Integration" slug: "splunk-siem" tags: ["Incident Response", "Silent Push", "Splunk Integration", "Threat Intelligence"] updated: 2026-01-08T17:49:53Z published: 2026-01-08T17:49:53Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # Splunk SIEM The Silent Push app for Splunk enhances your SIEM environment by integrating proactive threat intelligence. It enables real-time lookups, feed ingestion, and correlation of domains, IPs, and Indicators of Future Attack (IOFATM) with Splunk event data, streamlining threat detection and response. ## Key features The Silent Push app integrates the following Silent Push data types into Splunk: - **Indicators of Future Attack (IOFA)**: Provides early warnings of potential breaches by correlating with existing logs. - **PADNS data**: Accesses DNS records and enriches context with metrics like IP Diversity for threat hunting and analysis. - **Reputation data**: Investigates the history and trustworthiness of indicators like ASNs, nameservers, and subnets. - **Enrichment data**: Retrieves context for domains, IPv4, and IPv6 to identify and understand potential security threats. - **Web Scan data**: Searches historical IP scanning data, retrieves current metadata, and captures screenshots for incident response. - **Correlation results**: Matches indicators within Splunk indices to enhance security monitoring and incident response. ## Benefits - Splunk users gain seamless access to Silent Push's threat intelligence datasets. - Correlate logs with IOFAs for early breach warnings. - Access enriched context for domains, IPs, and other indicators. - Automate data enrichment with reputation and risk scores for domains and IPs. - Security logs are enriched with risk and reputation scores, enabling faster, informed decisions. ## Requirements In order to get started with the Silent Push app for Splunk, users must have the following: - **Silent Push API Key**: Obtain a valid API key from a Silent Push account. - **Splunk Version**: Compatible with Splunk Enterprise 9.0.x, 9.1.x, 9.2.x, 9.3.x, or Splunk Cloud. - **Operating system**: Platform-independent. - **Optional**: - Splunk Common Information Model (CIM) for matching indicators with data model events. - Splunk Enterprise Security (ES) for creating notable events based on correlations. ## Deployment Options ### Standalone Instance Install the Silent Push app on a single Splunk instance and configure it as described in the Configuration section below. ### Distributed Environment - Install the app to collect and forward Silent Push-enriched logs to indexers. - Install to enable dashboards, correlation searches, and direct queries. In Search Head Clusters, install on all search heads but configure only one instance; configurations replicate via the KVStore. ### Splunk Cloud - Install the app on a Splunk Cloud Search Head for correlation, searches, and dashboards. - For data collection, configure the app on a Splunk-managed Input Data Manager (IDM) or an on-premises Heavy Forwarder. Contact Splunk Support for assistance with IDM configuration. ## Install Silent Push integration - **From SplunkBase**: Download the Silent Push Technical Add-on (TA) from SplunkBase. - **Within Splunk**: Navigate to **Apps > Find More Apps**, search for Silent Push, and install. ## Configuration ### Account setup 1. Go to **Configuration > Account**. 2. Enter your **Silent Push API Key** and a unique **Account Name** (used only within the Splunk app). ### Proxy (optional) For on-premises Splunk instances, configure a proxy for connecting to Silent Push for feed updates and lookups: 1. Navigate to **Configuration > Account**. 2. Specify proxy type (HTTP or SOCKS5), host, port, and credentials (if required). ### Inputs Configure Silent Push feeds (IOFA or custom feeds) for ingestion: 1. Go to **Inputs > Create New Input**. 2. Provide: - **Name**: Unique feed name in Splunk. - **Silent Push account**: Select the configured account. - **Index**: Optional; specify if Collection Type is set to index. - **Interval**: Feed download interval (in seconds). - **Threat intelligence type**: Set to Feed (Filter Profile for legacy customers). - **Source UUID**: Copy the feed's UUID from the Silent Push URL (filter by Feed Name). ### Correlation settings Customize how Silent Push indicators match Splunk event data: 1. Navigate to **Configuration > Correlation Settings**. 2. Configure: - **Enabled indicator types**: Select indicator types for correlation. - **Search matching algorithm**: Choose based on your data ingestion method: - **Raw search**: Matches fields directly; ideal for custom or non-CIM-compliant data. - **IP/Domain target query**: Splunk queries to retrieve events for IP or domain correlation. - **IP/Domain target fields**: Event fields to match against IP or domain indicators. - **Data model search**: Matches against CIM data models for faster performance with normalized data. - **Select datamodels**: Choose CIM data models (if Data Model Search is selected). > **Tip**: Raw Search offers flexibility; Data Model Search provides faster performance with normalized data. ### Logging Set the app’s logging level: 1. Go to **Configuration > Logging**. 2. Select a log level: **DEBUG**, **INFO** (default), **WARNING**, or **ERROR**. 3. Logs are stored at: `$SPLUNK_HOME/var/log/splunk/ta_silent_push_*.log`. ### Dashboards The Silent Push app includes dashboards for: - **Indicators overview**: Track collected indicators over time. - **Correlation** **overview:** Monitor matches between Silent Push feeds and Splunk events. - **Enrichment**: Perform real-time lookup using the Silent Push API. - **Reputation**: Explore reputation data for IPs, ASNs, nameservers, and subnets. - **PADNS**: Investigate domains via forward/reverse lookups, density lookups, and ASNs associations. - **Explore web data**: Conduct live URL scans, capture screenshots, and search web scan data. ## Lookups, saved searches, and custom commands ### Lookups `silent_push_indicators_enrichment_domain`: Domain enrichment data. `silent_push_indicators_enrichment_ip`: IPv4/IPv6 enrichment data. `silent_push_matched_indicators_domain`: Correlated domain indicators. `silent_push_matched_indicators_ip`: Correlated IP indicators. ### Saved Searches Scheduled searches (detailed in the app's README.md) support: - Updating enrichment and correlation lookups. - Matching Splunk events with Silent Push indicators. - Generating notable events (with Splunk ES). ### Custom Commands Custom commands (listed in the app’s README.md) enable: - On-demand correlation with Silent Push feeds. - Account usage queries. - PADNS lookups and web scans. - Enrichment for domains, IPs, subnets, and URLs.