Skip to main content

Setting Up Qevlar AI with Splunk Cloud

Updated

Setting Up Qevlar AI with Splunk Cloud

This guide will help you integrate Qevlar AI with your Splunk Cloud environment. The integration enables Qevlar's autonomous security analysts to investigate incidents using your Splunk data with optimal performance and minimal impact on your infrastructure.

⚠️ IMPORTANT

To complete this integration, you will need to schedule an appointment with our team. Please contact your Qevlar representative or reach out to support@qevlar.ai to arrange this.

Overview

How Qevlar Queries Splunk

Qevlar uses accelerated data models and the tstats command instead of traditional raw log searches. This approach provides:

  • 100x-1000x faster query performance
  • Significantly reduced CPU load on your search heads
  • Minimal impact on production systems during investigations

Critical requirement: Qevlar uses the summariesonly=true flag, which means data models must be properly accelerated. If a data model is present but not accelerated, Qevlar will receive zero results.

Prerequisites

Before integrating Qevlar with Splunk Cloud, ensure you have:

  1. Administrative access to your Splunk Cloud instance
  2. The Splunk Common Information Model (CIM) add-on installed
  3. Technology Add-ons (TAs) properly configured to map your data sources to CIM models

Technology Add-ons are pre-built integrations that normalize data from specific vendors/products to work with the CIM. You'll need TAs for each data source you're ingesting. Common examples include:

  • Splunk Add-on for Microsoft Windows - for Windows event logs
  • Splunk Add-on for Microsoft Sysmon - for Sysmon data
  • Splunk Add-on for Palo Alto Networks - for firewall logs
  • Splunk Add-on for CrowdStrike - for EDR data
  • Splunk Add-on for Microsoft Office 365 - for O365 logs
  • Splunk Add-on for Cisco ASA - for Cisco firewall logs

Find TAs for your specific data sources on Splunkbase. Search for "[vendor name] TA" or "[product name] add-on" and ensure they specify CIM compliance.

  1. Permissions to create user accounts and configure data model acceleration

Setup Steps

Step 1: Create a Qevlar User Account

Create a dedicated service account for Qevlar to access your Splunk Cloud instance:

  1. Navigate to Settings > Users in your Splunk Cloud console
  2. Click New User
  3. Enter the following details:
    • Name: Choose a username (e.g., qevlar_service)
    • Full Name: Qevlar AI Service Account
    • Email Address: Your internal tracking email
    • Password: Create a strong password
    • Time Zone: (Optional) Set to your organisation's primary timezone
    • Default App: Search (recommended)
  4. Assign appropriate roles (minimum: can_search, power user recommended)
  5. Click Save

ℹ️Important: Store the username and password securely. You will need these credentials during the integration setup with Qevlar.

 

Step 2: Identify Your Splunk Cloud Host

The host is the unique domain name of your Splunk Cloud deployment, following this pattern:

<deployment-name>.splunkcloud.com

To find your host:

  1. Log in to your Splunk Cloud console
  2. Look at the URL in your browser's address bar
  3. The deployment name is the portion before .splunkcloud.com

Example: If your URL is https://acme-data.splunkcloud.com, your host is acme-data.splunkcloud.com

Step 3: Configure Required Data Models

Qevlar requires specific CIM data models to be enabled and accelerated to perform autonomous investigations effectively.

Required Data Models

The following data models must be enabled and accelerated with a summary range of at least 30 days:

Data Model Purpose
Authentication Baseline user behaviour, detect brute force attacks and impossible travel patterns
Network_Traffic Detect C2 callbacks, port scanning, and data exfiltration
Endpoint Analyse process lineage, file modifications, and registry changes
Web Investigate proxy logs, malicious domains, and suspicious user agents
Email Trace phishing attempts and analyse sender reputation and attachment hashes
Change Detect unauthorised account creation, log clearing, and system modifications
Intrusion_Detection Correlate IDS/IPS signatures with endpoint activity
Threat_Intelligence Validate hashes and IPs against known threat feeds

Acceleration Configuration

Recommended acceleration settings:

  • Summary Range: Last 30 days (minimum)
  • Summary Indexing Schedule: Every 5 minutes (default)

Why 30 days? To detect anomalies such as data exfiltration or lateral movement, Qevlar's AI calculates statistical baselines. A 30-day window provides sufficient historical data to distinguish genuine anomalies from false positives.

Step 4: Verify Data Model Configuration

Before connecting Qevlar, verify that each required data model is properly accelerated and receiving data:

Test query template:

| tstats summariesonly=t count from datamodel=<DataModelName> where earliest=-24h

Example for Authentication:

| tstats summariesonly=t count from datamodel=Authentication where earliest=-24h

Success: Query returns a count greater than 0

Failure: Query returns 0 or an error - acceleration is missing or data is not properly mapped to the CIM model

Step 5: Complete the Integration in Qevlar

Once your Splunk Cloud environment is configured, complete the integration:

  1. Log in to your Qevlar AI console
  2. Navigate to Integrations in the left sidebar
  3. Locate Splunk Cloud and click the + button to add a new data source
  4. In the configuration dialog, enter:
    • Username: The service account username you created in Step 1
    • Password: The service account password
    • Host: Your Splunk Cloud deployment host from Step 2
  5. Click Test & Save to validate the connection and begin the initial synchronisation

Step 6: Configure Autonomous Alert Forwarding

Connecting the source allows Qevlar to investigate data, but it needs a signal to start. Instead of modifying every individual alert manually, create a single "Global Forwarder" to send all alerts to Qevlar automatically.

1. Create the Global Search In the Search & Reporting app, run the following query to detect when other alerts fire (index name might be to adapt to your configuration):

index=_audit action=alert info=completed 
| table _time, savedsearch_name, severity, app, user

2. Save as Alert Click Save As > Alert and enter the following settings:

  • Title: Qevlar Global Forwarder
  • Schedule: Run on Cron (enter */5 * * * * to run every 5 minutes)
  • Time Range: Last 5 minutes (must match the schedule frequency)
  • Trigger Condition: Number of results > 0

3. Configure the Webhook

  • Scroll to Trigger Actions, click + Add Actions, and select Webhook.
  • URL: Enter your Qevlar API Ingestion URL.
  • Click Save.

ℹ️Important: This configuration ensures Qevlar automatically receives every alert generated in your Splunk environment without requiring you to edit existing alerts one by one.

 

Infrastructure Impact

Understanding the impact of this integration on your Splunk environment:

Storage Impact

Data model acceleration creates .tsidx summary files. Expect a marginal storage increase of approximately 5-10% of the ingested volume for the accelerated period (30 days).

Search Head Impact

Positive impact: By querying accelerated summaries using tstats, Qevlar investigations consume significantly less CPU and memory compared to traditional raw log searches. This means Qevlar can perform comprehensive investigations with minimal performance impact on your production search heads.

Troubleshooting

Common Issues and Solutions

Issue: Data model verification query returns 0 results

Solution: This indicates the data model is either not accelerated or your data is not properly mapped to the CIM. Check:

  • Data model acceleration is enabled in Settings > Data models
  • Relevant Technology Add-ons (TAs) are installed and configured
  • Your data sources are correctly tagged for CIM compliance

Issue: Using non-standard index names

Solution: Qevlar is agnostic to your index naming convention. As long as your custom indexes are properly mapped to CIM data models through tags and aliases, Qevlar will access them without any issues.

Support and Resources

If you encounter issues during the Splunk Cloud integration:

  • Contact Qevlar Support: support@qevlar.ai
  • Review Splunk CIM Documentation: Available in your Splunk instance or at docs.splunk.com
  • Check Data Model Acceleration: Settings > Data models in your Splunk Cloud console

Frequently Asked Questions

Q: Why does Qevlar need 30 days of accelerated data?

A: To detect anomalies like data exfiltration or unusual user behavior, Qevlar's AI calculates statistical baselines using standard deviation analysis. A 30-day historical window provides sufficient data to distinguish genuine security threats from normal variations in your environment, significantly reducing false positives.

Q: Will Qevlar's queries impact my production Splunk environment?

A: No. By using accelerated data models and the tstats command, Qevlar's queries are 100-1000x faster than traditional searches and consume significantly less CPU and memory. This design ensures minimal impact on your search heads, even during active investigations.

Q: What if we use non-standard index names?

A: Index naming doesn't matter to Qevlar. As long as your indexes are correctly mapped to CIM data models through tags and aliases (handled by your Technology Add-ons), Qevlar will access the data regardless of your naming convention.

Q: Do we need to enable all eight data models?

A: For optimal investigation capabilities, we recommend enabling all eight data models. However, Qevlar can work with a subset based on your available data sources. The more data models you enable, the more comprehensive and accurate Qevlar's autonomous investigations will be. Discuss your specific environment with your Qevlar representative to determine the minimum viable configuration.

For additional assistance, please contact your Qevlar representative or email support@qevlar.ai

Related articles