We’re proud to announce that the Twistlock App for Splunk is now available for download via Splunkbase.

The Twistlock App gives companies that are using Splunk a starting place for creating their own visualizations and dashboards using the incident and forensic data generated by Twistlock. The default dashboard with the App is shown above.

While many customers consume this data within the Twistlock Console and Incident Explorer, shown in the screenshot below, the Twistlock App for Splunk ingests into Splunk all incident and forensics data from Twistlock. Once the Twistlock incident data is in Splunk, it can be correlated with other Splunk sources of information to form a more complete picture of a security incident and develop the appropriate response.

Incident data and the flight data recorder

Twistlock incidents are high-priority, actionable security intelligence items that have been identified automatically by Twistlock from raw audit data. Rather than having users manually sift through reams of audit data and to hopefully detect a pattern, Twistlock creates incidents from correlated individual events generated by the firewall and runtime sensors used to identify unfolding attacks. We think of this capability as a “flight data recorder” for your cloud native applications.

This framework exists because audit events generated as a byproduct of an attack rarely occur in isolation. Attackers might modify a configuration file to open a backdoor, establish a new listener to shovel data out of the environment, run a port scan to map the environment, or download a rootkit to hijack a node. Each of these attacks is made up of a sequence of process, file system, and network events. Twistlock runtime sensors generate an audit each time an anomalous event outside the whitelist security model is detected. Twistlock sews these discrete events together into incidents to show the progression of a potential attack, while also providing detailed forensic data.

Forensic data consists of additional supplemental runtime events that complement the audit events already captured by Twistlock runtime sensors to provide additional context when trying to identify the root cause of an incident. This sort of information can be made even more valuable by correlating it with other security and operations data in Splunk.

How it works

The Twistlock Splunk App adds two main components to your Splunk deployment: two scripted data inputs for Twistlock incidents and forensics data and a Splunk dashboard that allows for search and visualization of that data.

The app makes use of your Twistlock Console’s API to pull data into Splunk and apply a couple of field extractions to make the information more useful.

Screenshots of a search and some dashboard views are featured below:

If you click on a Twistlock Incident in the App dashboard (as in the screenshot below), you can see the Twistlock Forensic data below to determine what commands were run on the container or host to trigger the incident.

Installing and configuring the Twistlock Splunk App

Install procedure:

  1. Install the Twistlock Splunk App from Splunkbase or manually drop the twistlock directory into $SPLUNK_HOME/etc/apps on the necessary Splunk host(s). See Splunk documentation for specific details based on deployment architecture. This will be done for you if you install using the Splunk interface.
  2. Add Twistlock Console credentials and FQDN (without trailing /) to twistlock/bin/meta/config.json.
    For example, your file could look like this:
    "credentials": {
    "username": "user",
    "password": "pass"
    "setup": {
    "console_fqdn": "https://your.twistlock.console.url:8083"


  3. Run $SPLUNK_HOME/bin/splunk restart to enable the app.

This will add two data input scripts that you must enable. The inputs are disabled by default, so after adding the app, go to Settings > Data inputs > Scripts and enable them. You can see them at the bottom of the table in the screenshot below:

These scripts use two of the Console’s API endpoints to pull the Incident and Forensic Data. The script uses the FQDN supplied by the user and appends “/api/v1/audits/incidents” for Incidents and “/api/v1/profiles/” for Forensics.

The poll-incidents.py script runs first, creating or updating a file (serialNum_checkpoint.txt) that tracks the last seen Incident serial number so no duplicate Incidents are indexed.

It also creates a file (forensics_events.txt) used by poll-forensics.py that contains unique tuples of information used to only pull the relevant Forensics Data.

This does mean that you should run poll-incidents.py before poll-forensics.py, so there is as short of a gap as possible between indexing Incidents and Forensics Data. Something on the order of a one to five minute gap should work well.


For many Twistlock customers, Splunk is an important part of their overall security strategy. We value our partnership with Splunk and are excited to share this App for Splunk with our joint users.

In a future version of the Twistlock App, we’d like to implement the Splunk-API-backed encrypted storage for Twistlock Console credentials instead of having the credentials stored in a plaintext file. Due to the modular nature of the scripts in the app, adding other Twistlock API endpoints would be trivial. These could be delivered as an app update or additional add-on.

The code for this solution is available in our Twistlock sample-code github repo, if you’d like to check it out.

← Back to All Posts Next Post →