Setting Up Qevlar AI with Splunk Cloud
This guide will help you integrate Qevlar AI with your Splunk Cloud environment. The integration enables Qevlar's autonomous security analysts to investigate incidents using your Splunk data with optimal performance and minimal impact on your infrastructure.
⚠️ IMPORTANT
To complete this integration, you will need to schedule an appointment with our team. Please contact your Qevlar representative or reach out to support@qevlar.ai to arrange this.
Overview
How Qevlar Queries Splunk
Qevlar uses accelerated data models and the tstats command instead of traditional raw log searches. This approach provides:
- 100x-1000x faster query performance
- Significantly reduced CPU load on your search heads
- Minimal impact on production systems during investigations
Critical requirement: Qevlar uses the summariesonly=true flag, which means data models must be properly accelerated. If a data model is present but not accelerated, Qevlar will receive zero results.
Prerequisites
Before integrating Qevlar with Splunk Cloud, ensure you have:
- Administrative access to your Splunk Cloud instance
- The Splunk Common Information Model (CIM) add-on installed
- Technology Add-ons (TAs) properly configured to map your data sources to CIM models
Technology Add-ons are pre-built integrations that normalize data from specific vendors/products to work with the CIM. You'll need TAs for each data source you're ingesting. Common examples include:
- Splunk Add-on for Microsoft Windows - for Windows event logs
- Splunk Add-on for Microsoft Sysmon - for Sysmon data
- Splunk Add-on for Palo Alto Networks - for firewall logs
- Splunk Add-on for CrowdStrike - for EDR data
- Splunk Add-on for Microsoft Office 365 - for O365 logs
- Splunk Add-on for Cisco ASA - for Cisco firewall logs
Find TAs for your specific data sources on Splunkbase. Search for "[vendor name] TA" or "[product name] add-on" and ensure they specify CIM compliance.
- Permissions to create user accounts and configure data model acceleration
Setup Steps
Step 1: Create a Qevlar User Account
Create a dedicated service account for Qevlar to access your Splunk Cloud instance:
- Navigate to
Settings>Usersin your Splunk Cloud console - Click
New User - Enter the following details:
-
Name: Choose a username (e.g.,
qevlar_service) - Full Name: Qevlar AI Service Account
- Email Address: Your internal tracking email
- Password: Create a strong password
- Time Zone: (Optional) Set to your organisation's primary timezone
- Default App: Search (recommended)
-
Name: Choose a username (e.g.,
- Assign appropriate roles (minimum: can_search, power user recommended)
- Click Save
ℹ️Important: Store the username and password securely. You will need these credentials during the integration setup with Qevlar.
Step 2: Identify Your Splunk Cloud Host
The host is the unique domain name of your Splunk Cloud deployment, following this pattern:
<deployment-name>.splunkcloud.com
To find your host:
- Log in to your Splunk Cloud console
- Look at the URL in your browser's address bar
- The deployment name is the portion before .splunkcloud.com
Example: If your URL is https://acme-data.splunkcloud.com, your host is acme-data.splunkcloud.com
Step 3: Configure Required Data Models
Qevlar requires specific CIM data models to be enabled and accelerated to perform autonomous investigations effectively.
Required Data Models
The following data models must be enabled and accelerated with a summary range of at least 30 days:
| Data Model | Purpose |
|---|---|
| Authentication | Baseline user behaviour, detect brute force attacks and impossible travel patterns |
| Network_Traffic | Detect C2 callbacks, port scanning, and data exfiltration |
| Endpoint | Analyse process lineage, file modifications, and registry changes |
| Web | Investigate proxy logs, malicious domains, and suspicious user agents |
| Trace phishing attempts and analyse sender reputation and attachment hashes | |
| Change | Detect unauthorised account creation, log clearing, and system modifications |
| Intrusion_Detection | Correlate IDS/IPS signatures with endpoint activity |
| Threat_Intelligence | Validate hashes and IPs against known threat feeds |
Acceleration Configuration
Recommended acceleration settings:
- Summary Range: Last 30 days (minimum)
- Summary Indexing Schedule: Every 5 minutes (default)
Why 30 days? To detect anomalies such as data exfiltration or lateral movement, Qevlar's AI calculates statistical baselines. A 30-day window provides sufficient historical data to distinguish genuine anomalies from false positives.
Step 4: Verify Data Model Configuration
Before connecting Qevlar, verify that each required data model is properly accelerated and receiving data:
Test query template:
| tstats summariesonly=t count from datamodel=<DataModelName> where earliest=-24h
Example for Authentication:
| tstats summariesonly=t count from datamodel=Authentication where earliest=-24h
✅ Success: Query returns a count greater than 0
❌ Failure: Query returns 0 or an error - acceleration is missing or data is not properly mapped to the CIM model
Step 5: Complete the Integration in Qevlar
Once your Splunk Cloud environment is configured, complete the integration:
- Log in to your Qevlar AI console
- Navigate to Integrations in the left sidebar
- Locate Splunk Cloud and click the + button to add a new data source
- In the configuration dialog, enter:
- Username: The service account username you created in Step 1
- Password: The service account password
- Host: Your Splunk Cloud deployment host from Step 2
- Click Test & Save to validate the connection and begin the initial synchronisation
Step 6: Configure Autonomous Alert Forwarding
Connecting the source allows Qevlar to investigate data, but it needs a signal to start. Instead of modifying every individual alert manually, create a single "Global Forwarder" to send all alerts to Qevlar automatically.
1. Create the Global Search In the Search & Reporting app, run the following query to detect when other alerts fire (index name might be to adapt to your configuration):
index=_audit action=alert info=completed | table _time, savedsearch_name, severity, app, user
2. Save as Alert Click Save As > Alert and enter the following settings:
-
Title:
Qevlar Global Forwarder -
Schedule: Run on Cron (enter
*/5 * * * *to run every 5 minutes) - Time Range: Last 5 minutes (must match the schedule frequency)
- Trigger Condition: Number of results > 0
3. Configure the Webhook
- Scroll to Trigger Actions, click + Add Actions, and select Webhook.
- URL: Enter your Qevlar API Ingestion URL.
- Click Save.
ℹ️Important: This configuration ensures Qevlar automatically receives every alert generated in your Splunk environment without requiring you to edit existing alerts one by one.
Infrastructure Impact
Understanding the impact of this integration on your Splunk environment:
Storage Impact
Data model acceleration creates .tsidx summary files. Expect a marginal storage increase of approximately 5-10% of the ingested volume for the accelerated period (30 days).
Search Head Impact
Positive impact: By querying accelerated summaries using tstats, Qevlar investigations consume significantly less CPU and memory compared to traditional raw log searches. This means Qevlar can perform comprehensive investigations with minimal performance impact on your production search heads.
Troubleshooting
Common Issues and Solutions
Issue: Data model verification query returns 0 results
Solution: This indicates the data model is either not accelerated or your data is not properly mapped to the CIM. Check:
- Data model acceleration is enabled in Settings > Data models
- Relevant Technology Add-ons (TAs) are installed and configured
- Your data sources are correctly tagged for CIM compliance
Issue: Using non-standard index names
Solution: Qevlar is agnostic to your index naming convention. As long as your custom indexes are properly mapped to CIM data models through tags and aliases, Qevlar will access them without any issues.
Support and Resources
If you encounter issues during the Splunk Cloud integration:
- Contact Qevlar Support: support@qevlar.ai
- Review Splunk CIM Documentation: Available in your Splunk instance or at docs.splunk.com
- Check Data Model Acceleration: Settings > Data models in your Splunk Cloud console
Frequently Asked Questions
Q: Why does Qevlar need 30 days of accelerated data?
A: To detect anomalies like data exfiltration or unusual user behavior, Qevlar's AI calculates statistical baselines using standard deviation analysis. A 30-day historical window provides sufficient data to distinguish genuine security threats from normal variations in your environment, significantly reducing false positives.
Q: Will Qevlar's queries impact my production Splunk environment?
A: No. By using accelerated data models and the tstats command, Qevlar's queries are 100-1000x faster than traditional searches and consume significantly less CPU and memory. This design ensures minimal impact on your search heads, even during active investigations.
Q: What if we use non-standard index names?
A: Index naming doesn't matter to Qevlar. As long as your indexes are correctly mapped to CIM data models through tags and aliases (handled by your Technology Add-ons), Qevlar will access the data regardless of your naming convention.
Q: Do we need to enable all eight data models?
A: For optimal investigation capabilities, we recommend enabling all eight data models. However, Qevlar can work with a subset based on your available data sources. The more data models you enable, the more comprehensive and accurate Qevlar's autonomous investigations will be. Discuss your specific environment with your Qevlar representative to determine the minimum viable configuration.
For additional assistance, please contact your Qevlar representative or email support@qevlar.ai