Coming Soon

Splunk integration

SIEM & Monitoring

Splunk is where many security and ops teams already aggregate their logs, metrics, and events — so it is the natural place to correlate external exposure with everything else happening across your environment. The FortWatch Splunk integration (currently in development) will stream every finding from your continuous external scans into Splunk as structured events, so an exposed database, a public storage bucket, or an expiring certificate becomes searchable, alertable data alongside your existing telemetry — not another dashboard to check separately.

Get notified All integrations

New alert in Splunk

Criticaljust now

Exposed Redis on 203.0.113.10:6379

Unauthenticated database reachable from the internet.

View finding & step-by-step fix →

Delivered in < 1 minute

How it works

Splunk + FortWatch

FortWatch will ship findings into Splunk over the HTTP Event Collector (HEC) — a token-authenticated REST endpoint that works the same way on Splunk Enterprise, Splunk Cloud Platform, and self-hosted instances. Each finding is sent as a structured JSON event with a dedicated sourcetype (for example `fortwatch:finding`) and routed to an index you specify, so Splunk parses the fields automatically: severity, scanner, affected asset, port or service, the underlying evidence, FortWatch's AI triage summary, and a link back to the full finding. Because the data lands as normalized events, you can search it with SPL, build saved searches and dashboards, and wire it into Splunk alerting and correlation searches (including Enterprise Security) right alongside your other sources. New detections, severity changes, and auto-resolutions are emitted as their own events so your index reflects the current state of your attack surface over time.

FortWatch scans

Eleven scanners watch your external attack surface around the clock — ports, certs, DNS, cloud buckets, exposed files and more.

AI triages the finding

Each issue is scored by real-world impact and packaged with the affected asset and a one-line explanation of the risk.

Delivered to Splunk

The finding lands in Splunk, routed by severity — so the right people see the right alert, fast.

Capabilities

What you'll be able to do

Everything the Splunk integration will bring to your security workflow.

Centralize external exposure

index every FortWatch finding in Splunk so open ports, exposed databases, cloud buckets, and DNS gaps live next to your other security telemetry.

Correlation searches

join FortWatch events with firewall, WAF, or auth logs to confirm whether an exposed service is actually being probed or hit from the internet.

Severity-driven alerting

trigger Splunk alerts or notable events when a new critical finding (such as an unauthenticated Redis or a public S3 bucket) lands in your index.

Splunk Enterprise Security

feed external attack-surface findings into ES as a data source for risk-based alerting and posture dashboards.

Trend dashboards

chart exposure counts by severity, scanner, and asset over time using SPL to show your attack surface shrinking (or growing).

Compliance and audit evidence

retain a timestamped, searchable record of when each exposure was detected and resolved for SOC 2, ISO 27001, or internal review.

In practice

What an alert looks like

Every finding arrives formatted for Splunk — severity up front, the affected asset, and a one-line explanation of why it matters, with a link straight to the step-by-step fix.

Severity-tagged and color-coded
The exact asset and port affected
One click to the full finding & remediation

Splunk

{\n  "time": 1717718400,\n  "source": "fortwatch",\n  "sourcetype": "fortwatch:finding",\n  "index": "security",\n  "event": {\n    "finding_id": "fw-9c2a17",\n    "severity": "critical",\n    "scanner": "nmap",\n    "title": "Unauthenticated Redis exposed to the internet",\n    "asset": "cache-prod-1",\n    "ip": "203.0.113.10",\n    "port": 6379,\n    "service": "redis",\n    "summary": "Redis is reachable from the public internet with no authentication. Anyone can read, modify, or wipe the dataset and may achieve remote code execution on the host.",\n    "detected_at": "2026-06-07T08:00:00Z",\n    "status": "open",\n    "url": "https://app.fortwatch.ai/findings/fw-9c2a17"\n  }\n}

Setup

Set it up in minutes, once it lands

No agents, no infrastructure changes — just connect Splunk and choose where alerts go.

When it launches, open Settings -> Integrations in FortWatch and choose Splunk.

In Splunk, enable the HTTP Event Collector and create a new HEC token (for example a `fortwatch` token) pointed at the index you want findings to land in.

Paste your Splunk HEC URL and token into FortWatch, and set the sourcetype and index (defaults to `fortwatch:finding`).

Send a test event to confirm it lands in Splunk and that the JSON fields are parsed as expected.

Choose which severities to forward, then turn it on and build saved searches, dashboards, or alerts on the incoming events.

Why route FortWatch into Splunk?

An external exposure is most dangerous in the window between when it appears and when someone notices. Streaming FortWatch findings into Splunk puts that signal where your team already runs searches, builds alerts, and investigates incidents — so an exposed service shows up in the same place as the logs that prove whether it is being attacked. It turns external attack-surface data from a siloed dashboard into a first-class, correlatable source in the system of record you already trust.

FAQ

Frequently asked questions

Is the Splunk integration available now?

Not yet — it is in active development. Add your email on this page and we will notify you the moment it ships.

Will it work with Splunk Cloud as well as self-hosted Splunk?

Yes. The integration uses the HTTP Event Collector, which is supported on Splunk Cloud Platform, Splunk Enterprise, and self-managed deployments. You just supply your HEC URL and token.

How will the data be structured in Splunk?

Each finding arrives as a JSON event under a dedicated sourcetype with normalized fields — severity, scanner, asset, port/service, AI triage summary, and a link back to FortWatch — so you can search, alert, and dashboard on it directly with SPL.