Configure the App
- From the Splunk web console homepage, navigate to the Lookout application by clicking Lookout Mobile Threat Defense for Splunk from the left hand navigation panel.
-
Splunk notifies that the app is not configured.
Click Continue to app setup page.
-
Complete setup by entering the following information.
Field Name Value or Description Mobile Risk API Endpoint https://api.lookout.com Proxy Endpoint (Optional) Address of a HTTP or HTTPS proxy server if Splunk is configured behind a proxy server. Proxy Username Proxy server administrator username Proxy Password Proxy server administrator password Enterprise name Company name used to tag events. API Key API Key to access Lookout services generated from Lookout’s MES Console.
Note: IMPORTANT: After pasting the key into the App configuration field, delete the text file to prevent it from being stolen.The plugin will not display the api key again after you submit the configuration.
Starting Stream Position Lookout Mobile Risk API stream position to start event retrieval. The default is ‘now’ which retrieves events starting from when you submit this configuration. To set a different stream position, enter a positive integer. Add Connection (Optional) Clicking the Add Connection button allows for adding additional API keys to pull Lookout events from multiple enterprises. -
Click Submit at the bottom of the page.
Once submitted, the plugin begins forwarding MRA events to Splunk in batches of 100 events every 30 seconds. (Splunk Enterprise customers can change the 30 second interval, see Configure the Data Input Script (Splunk Enterprise Only) for details.