icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading CloudPassage App for Splunk Enterprise
SHA256 checksum (cloudpassage-app-for-splunk-enterprise_350.tgz) c573b557f2bc2423d62ed8826aabf4a59e8da459ca5e0cf1cb7e2050c06b29bd SHA256 checksum (cloudpassage-app-for-splunk-enterprise_331.tgz) 9a66fc681b4f20829a4fda8ce429ea8aa5bb5f81b98602b8034bf62d8118c6bc SHA256 checksum (cloudpassage-app-for-splunk-enterprise_320.tgz) 90f33766eee8a5b9adc506edb127d5d3f316c39a2a356ee82922b5d463ca992f SHA256 checksum (cloudpassage-app-for-splunk-enterprise_31.tgz) 81e2f9de8c4f1282de7c311839ef712c8f7c7abd59f9bdf1415a5ef03fca525b SHA256 checksum (cloudpassage-app-for-splunk-enterprise_30.tgz) 670b39e097a2059f4b056460f33fe70e119a27ebf40a4525007839d12b2b0704 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_21.tgz) cd4137ed6c212a2b51a14cdb139be35a5b987ea18e3d918352abc3c7eb991cc1 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_20.tgz) 9b2f7eeaec1117c92e1ce363038cf70d52b4439be6c9efeb535c42f5d5d68dc9 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_19.tgz) 38987d7d8207452b9e793b4161c42c9df1f86a9ab258555a60ec8ff0881354fd SHA256 checksum (cloudpassage-app-for-splunk-enterprise_18.tgz) 70194d36f0464ed66e7aff8f6f392c5c8ce76665bcf30738fad7ba67d99e0e8a SHA256 checksum (cloudpassage-app-for-splunk-enterprise_17.tgz) 0c77434f87fb5ff1c747919d4c828db26ee4d4ac6f37a0f4905985e99b507cb5 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_16.tgz) 6f10a159a419809ef02905bf7f229278b19af558fc1c0d3a3f726de5d0c49ce7 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_15.tgz) 37fd6fd2a09a3bf25737620ddccaf9854248d255e219ac8d1a2f0e90cf33e5f6 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_14.tgz) 7a1e52368ed5a5bbc99599935096cc150b9f1367d0842a34d8e5c33ef830e9c8 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_13.tgz) 7b667a47432b2c10c92cd5ca2ccb8fa5a7bf63672cd46ec16bda7ae88b8fbbe6 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_12.tgz) 572dc7058250101d6ada54a0a2e9853f8c0edd44e9dd2fe9cb8a76ccc2f07da4 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_11.tgz) 3113a4a098edcdc3baf88f5bcbba865bb92b859801360abc0f4263c49e4a7bc2 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_10.tgz) a8a283da226f83990c9e324f944e2f18ee92bc448c30317aafae128112ab4df9
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


CloudPassage App for Splunk Enterprise

This app is NOT supported by Splunk. Please read about what that means for you here.
The CloudPassage App for Splunk Enterprise is a solution to help detect security violations and look for threats across your complex cloud infrastructure, through analysis of massive volumes of Halo event data.

CloudPassage’s Halo platform records over eighty different types of security events about your Halo-managed infrastructure, whether you deploy into public cloud environments or your private data center. These events deliver information about your infrastructure and include critical security alerts for firewall changes, access changes, configuration changes, and file integrity changes, and more.

The CloudPassage App for Splunk Enterprise leverages the security visibility provided by CloudPassage's Halo platform with Splunk's correlation and visualization capabilities to deliver a security reporting and analysis tool. This app enables security operators and administrators to correlate security events across their Halo-managed infrastructure.

CloudPassage App for Splunk Enterprise

Getting Started With the CloudPassage App

This document describes the CloudPassage App for Splunk Enterprise and explains how to set up, configure, and get started using the App.

How the CloudPassage App Works

The purpose of the CloudPassage App for Splunk Enterprise is to import Halo event data into Splunk Enterprise and allow it to be manipulated by Splunk users and displayed on Halo-specific pages within Splunk Enterprise. The App includes several Halo specific event display screens for reporting event results and summaries.

For event import, the App uses the script-based Modular Input tool. The Modular Input script retrieves event data from a CloudPassage Halo account and imports it into Splunk Enterprise for further processing.

Retrieving events. The script is designed to execute repeatedly, keeping Splunk up-to-date with Halo events as time passes and new events occur:
The first time the script runs, it by default retrieves all logged events within the past 90 days from a single Halo account. Then the script creates a file, writes the timestamp of the last-retrieved event in it, and saves it as a checkpoint. You may find the checkpoint file in /Splunk/var/lib/splunk/modinputs.
Every subsequent time the script runs, it retrieves only those events that were created after the timestamp stored in the checkpoint.
During any script run, if no new events have occurred since the last run, no events are retrieved or imported into Splunk.

Output formats. The script receives event data from Halo in Halo's native JavaScript Object Notation (JSON) format, which you can view in Splunk after the data has been imported.

Authentication to the Halo API. CloudPassage Halo requires the Modular Input script to pass a valid Halo API key pair in order to obtain event data. You can find the Halo API key pair in CloudPassage Halo Portal. We recommend using an auditor (read-only) API key pair with the necessary server group scope.


To get started, you must have the following:

  • An active CloudPassage Halo subscription. If you don't have one, Register for CloudPassage to receive your credentials and further instructions by email.

  • Access to your CloudPassage API key. Best practice is to create a new read-only key specifically for use with this script.

  • Splunk Enterprise Server 7.0 or later. You can download Splunk Enterprise Server from here.

A. Install the CloudPassage App

You can obtain the CloudPassage app through Splunkbase.

Get the App from Splunk Apps

To install the CloudPassage App for Splunk Enterprise, first log into Splunk Enterprise. After you have successfully logged in, click on the gear icon next to Apps on the top left of your screen then click on Browse more apps, this will take you to the Splunk Apps page.

On the Splunk Apps page, search for “CloudPassage” to find the “CloudPassage App for Splunk Enterprise”. Click Install to install the app.

Verify the Installation

Regardless of how you install the CloudPassage App, once you are successful it appears in the Splunk Enterprise dashboard, like this:

Create cloudpassage Index

All events will be written to an index named "cloudpassage". Make sure to create the index via the Splunk GUI before activating the CloudPassage App.

For Splunk Cloud:

For Splunk Enterprise:

The index name must be "cloudpassage", all other parameters is up to the user to decide.

B. Configure and Activate the CloudPassage App

After installing the CloudPassage App, configure it by obtaining required Halo information, specifying the Modular Input configuration settings in a configuration file, and entering additional data input settings within Splunk Enterprise. Once you have done that, execution of the App is automatic.

Retrieve and save your CloudPassage API key

The Modular Input is a python script that makes calls to the CloudPassage API. The script is required to authenticate itself to Halo during every session; therefore, you (as a Halo user) need to make your CloudPassage API Key available to the script.

  1. To retrieve your CloudPassage API key, log into the CloudPassage Portal and navigate to Environment > Settings > Site Administration and click the API Keys tab. (If you haven’t generated an API key yet, do so by clicking Actions > New Api Key.)

If you do create an API key, we recommend that, as a best practice, you create a read-only key. A read-only key is all that you need to be able to retrieve Halo event data.

  1. Retrieve both the Key ID and the Secret Key values for the API key. Click Show for your key on the API Keys tab to display both values.

Configure the App in Splunk

Now integrate your installed CloudPassage App into Splunk Enterprise.

Log into your Splunk Enterprise installation. Choose Data Inputs from the Settings menu.

Click on CloudPassage Splunk Connector dialog box opens.

You add new types of data to Splunk Enterprise by telling it about them. There are a number of ways you can specify a data input, either in terms of its type or by its source. The Modular Input script is a source that collects data for Splunk by connecting to the CloudPassage Grid and using the Halo Event API. That is the source type that you will select.
Click on the Add new dialog box opens:

Fill in these fields:

  • Name: Enter a display name for your App, such as "CloudPassage Halo". This name appears on the App's data input summary page.
  • CloudPassage Halo API Key: Copy your saved Halo API key ID and paste it into this field.
  • CloudPassage Halo API Secret: Copy your saved Halo API key secret and paste it into this field.
  • Starting Date/Time: Optionally enter the starting date-time of events to be retrieved from your Halo account. Use ISO-8601 format; for example 2013-09-19T17:34:28.808886Z. All events newer than this date-time will be retrieved the first time the script runs; on each subsequent run, only events newer than the newest previously retrieved event will be retrieved.Putting a value in this field is optional; if you leave it blank, the first execution of the script will retrieve all defined events from your Halo account within 90 days prior.
    Please Note:
    • If checkpoint exists, it will take precedence. You can find the checkpoint in /Splunk/var/lib/splunk/modinputs.
    • CloudPassage Halo has a 90 days data retention period.
  • API Hostname: By default this is set to api.cloudpassage.com. If your CloudPassage API hostname is different from the default setting, please specify here.
  • Proxy Host: Copy your proxy host ip address and paste it into this feild. (Optional)
  • Proxy Port: Copy your proxy port and paste it into this field. (Optional)
  • Set sourcetype. Choose "Manual".
  • Select source type from list. Select the source type value that you specified in the Splunk props.conf file (for example, [cp_halo]; see Set up props.conf).

Click Save.

When it has finished adding the new data source, Splunk displays a success message:
You're done! The Modular Input script is now running, automatically providing events to Splunk for indexing.

C. View Halo Events in Splunk

The CloudPassage App provides several interactive pages that allow you to view and manipulate your Halo data from many different perspectives. Once the script runs successfully and is incorporating event data into Splunk, you will see Halo events such as the following appear in your CloudPassage App within Splunk Enterprise.You're done! The Modular Input script is now running, automatically providing events to Splunk for indexing.

The Halo Dashboard page:


The Violation Dashboard page:


Release Notes

Version 3.5.0
May 16, 2018

CS-537: add per_page as modular input, default=100, max=500
CS-538: fix Not supported proxy scheme None

Version 3.3.1
Feb. 21, 2018
Version 3.2.0
Jan. 23, 2018
Version 3.1
Jan. 22, 2018
Version 3.0
Jan. 19, 2018
Version 2.1
May 12, 2017

Read api hostname from data input

Version 2.0
May 11, 2017

Fixed issue where latest event duplicates on interval runs.

Version 1.9
May 1, 2017

Added SDK retry logic into App.
Delayed retry up to 5 times if grid returns a 500 on Api request.

Version 1.8
Jan. 31, 2017

Able to retrieve all events from 90 days ago.
Does not have 5000 event daily limit count.

Version 1.7
April 17, 2015

The CloudPassage App for Splunk is now proxy-aware. If you connect outbound via a proxy server in your environment, you can now specify the IP address or FQDN of the proxy server for Splunk to connect to.

Version 1.6
Feb. 22, 2015

The CloudPassage Halo Secret key input field is now asterisked and not in clear text.

Version 1.5
Dec. 9, 2014

Minor bug fixes.

Version 1.4
April 18, 2014

Fixed issue while trying to regenerate authentication token.

Version 1.3
Jan. 7, 2014

Fixed issue where the Halo Event Search dashboard was not displaying drill-downs correctly for all event types.

Version 1.2
Jan. 7, 2014

Fixed an issue where Halo Event Search was not displaying events correctly on drill-down.

Version 1.1
Dec. 31, 2013
Version 1.0
Nov. 7, 2013

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.