How to set Splunk as CSP Policy report collector?

cbarthel · ‎10-21-2020

I am trying to set up Content-Security-Policy, and I need a way to collect violation reports. I was hoping to use Splunk HEC to do this, but so far I am not getting anything in. If I CURL the collector URL, I can see the result in Splunk. But nothing from Browsers.

Sourcetype is set as json-no-tiimestamp, and I am not sending a response back. I could not find as single example of doing this, so if this is not correct please let me know.

Are there any considerations I have not thought of here? I am not restricting access by IP for the external NAT that leads to the HEC for this instance. I do not, however, have a proper SSL cert. Will browsers like Chrome refuse to POST if the HEC only has a self-signed?

fredclown · ‎10-27-2022

Splunk requires a token, so this could not be done out of the box. What you could do would be to create a webservice that would take the CSP report and then proxy that to Splunk using HEC with the token. So, the webservice would know what the token is an would be the middle man between Splunk the CSP report.

vince2010091 · ‎07-29-2022

That would-be great, but token might be not compatible with report-uri

How to set Splunk as CSP Policy report collector?

HTTP Event Collector

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!