Reco

Reco enables you to create SIEM and SOAR connectors, allowing you to send alerts directly to your organization's centralized event management system. 

From Splunk, you can drill down into Reco alerts to investigate and remediate as needed.

To send Reco alerts to the Splunk alert pipeline, follow these steps:

Step 1: Generate the Splunk Instance URL

From the top menu, navigate to Settings &gt; Data &gt; Data inputs.

On the Data inputs page, select HTTP Event Collector &gt; Global settings.

In the Edit Global settings popup, note the HTTP port number and close the popup.

Copy the Splunk URL in the following format (<a href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector?_gl=1*1heatgl*_gcl_aw*R0NMLjE3MzA5MTE3NTMuQ2p3S0NBaUF4S3k1QmhCYkVpd0FZaVctLTRhOEZqZzltMjlLcm9tYnRaZjRQNEduWGY4R0dJV2xjTi1Hb3ZVLTFweTF1aWYyaWRfNFpob0NpdzhRQXZEX0J3RQ..*_gcl_au*MTk2NjIxMDc1NS4xNzI5NjE0Mjk1*FPAU*MTk2NjIxMDc1NS4xNzI5NjE0Mjk1*_ga*MTExOTE0Mjk4MS4xNzI5NjE0Mjk1*_ga_5EPM2P39FV*MTczMDkyMDkyMy4yNC4xLjE3MzA5MjA5MjMuNjAuMC4xMzMyMzMxOTgw*_fplc*SjFsZ3hvc1JSTkxYcEUySSUyRklZRm9SQ1RaU0NzY215MFd1T0E5cGpjb2Vlc21rMzBKdzNCdHByNEZPJTJGaDRtU0R1ZnVmSkdxUGFjamp4U3YxQkk1U0RNOHN2MWtJVjZGRzNSR0IxYWpkazE3aSUyQmttN21uQzdCZGZjZ3NKcHpBJTNEJTNE" rel="nofollow noopener noreferrer" target="_blank">Splunk Docs</a>):

&lt;protocol&gt;://http-inputs-&lt;host&gt;.splunkcloud.com:&lt;port&gt;/&lt;endpoint&gt;

Endpoint can be: <code>/services/collector/event </code>or <code>/services/collector/raw</code>

1. Log in to your Splunk account.
2. From the top menu, navigate to Settings &gt; Data &gt; Data inputs.

3. On the Data inputs page, select HTTP Event Collector &gt; Global settings.
4. In the Edit Global settings popup, note the HTTP port number and close the popup.
 
 
5. Copy the Splunk URL in the following format (<a href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector?_gl=1*1heatgl*_gcl_aw*R0NMLjE3MzA5MTE3NTMuQ2p3S0NBaUF4S3k1QmhCYkVpd0FZaVctLTRhOEZqZzltMjlLcm9tYnRaZjRQNEduWGY4R0dJV2xjTi1Hb3ZVLTFweTF1aWYyaWRfNFpob0NpdzhRQXZEX0J3RQ..*_gcl_au*MTk2NjIxMDc1NS4xNzI5NjE0Mjk1*FPAU*MTk2NjIxMDc1NS4xNzI5NjE0Mjk1*_ga*MTExOTE0Mjk4MS4xNzI5NjE0Mjk1*_ga_5EPM2P39FV*MTczMDkyMDkyMy4yNC4xLjE3MzA5MjA5MjMuNjAuMC4xMzMyMzMxOTgw*_fplc*SjFsZ3hvc1JSTkxYcEUySSUyRklZRm9SQ1RaU0NzY215MFd1T0E5cGpjb2Vlc21rMzBKdzNCdHByNEZPJTJGaDRtU0R1ZnVmSkdxUGFjamp4U3YxQkk1U0RNOHN2MWtJVjZGRzNSR0IxYWpkazE3aSUyQmttN21uQzdCZGZjZ3NKcHpBJTNEJTNE" rel="nofollow noopener noreferrer" target="_blank">Splunk Docs</a>):
 &lt;protocol&gt;://http-inputs-&lt;host&gt;.splunkcloud.com:&lt;port&gt;/&lt;endpoint&gt;
6. Endpoint can be: <code>/services/collector/event </code>or <code>/services/collector/raw</code>
7. Save this URL for use in the next step.

Step 2: Generate the HTTP Event Connector Token in Splunk

In the top menu, go to Settings &gt; Data &gt; Data inputs.

On the Data inputs page, select HTTP Event Collector &gt; Add new.

In Select Source, name the source (e.g., Reco) and click Next.

Under Input Settings &gt; Source type, choose Automatic and then click Review &gt; Submit.

Save the event connector token for the final step.

1. In the top menu, go to Settings &gt; Data &gt; Data inputs.
2. On the Data inputs page, select HTTP Event Collector &gt; Add new.
3. In Select Source, name the source (e.g., Reco) and click Next.
4. Under Input Settings &gt; Source type, choose Automatic and then click Review &gt; Submit.
5. Save the event connector token for the final step.

Step 3: Connect Splunk SIEM to Reco

In Reco, navigate to Integrations.

Open the SIEM &amp; Automation tab.

Click Add Webhook to start configuring the connection.

Enter the URI you generated earlier (the Splunk Instance URL).

Under Add Header, set the following:

1. Key: <code>Authorization</code>
2. Value: <code>Splunk &lt;&lt;event connector token&gt;&gt;</code>

Save the configuration to complete the integration, enabling Reco alerts to flow directly into Splunk.

1. In Reco, navigate to Integrations.
2. Open the SIEM &amp; Automation tab.
3. Click Add Webhook to start configuring the connection.
4. Enter the URI you generated earlier (the Splunk Instance URL).
5. Under Add Header, set the following:
 1. Key: <code>Authorization</code>
 2. Value: <code>Splunk &lt;&lt;event connector token&gt;&gt;</code>
6. Save the configuration to complete the integration, enabling Reco alerts to flow directly into Splunk.