Requirements
Administrator permissions for Splunk
SSL/TLS certificate for the Splunk server to communicate securely with the Threat Events Stream. For more information, see the Common CA Database.
A public DNS hostname linked to the Splunk server
Administrator permission to modify firewall settings (if applicable)
- Modify the inputs.conf file as described in the Splunk Enterprise Admin Manual from Splunk.
The following code block is an example of the inputs.conf file. You can use this as a reference when editing your file:
[tcp-ssl://8888]
connection_host = ip
index = wandera
source = WanderaThreat
sourcetype = syslog
disabled = 0
[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\mycerts\tcpinputserver.pem
In this example, Splunk will listen on TCP port 8888 for encrypted data. The SSL stanza is necessary to force the use of the server certificate.
- Restart Splunk and verify that there are no errors in splunkd.log.
- Configure the firewall to allow external connections to the configured Splunk TCP port from the Threat Events Stream IP addresses.
The IP addresses can be found under Advanced Settings on the Threat Events Stream configuration page.
- In Jamf Security Cloud, navigate to .
- Select Threat Events Stream.
- Select as the Streaming Target.
- Add the Server Hostname/IP and the Port configured for your Splunk instance.
- Click Test Configuration.
- If the test is successful, you can enable the Threat Events Stream with the toggle button.
- Click Save.
The detected threats are sent to your Splunk instance in real time.The Splunk Log (splunkd.log) error "Can't read key file" may appear if you have the server certificate and key in two separate files. This can be fixed by combining the cert and key into one using the following terminal command (on example files server_cert.pem and server.key):