Skip to main content

Connecting Vanta & Splunk

Lizzie avatar
Written by Lizzie
Updated yesterday

Vanta integrates with Splunk (Cloud) to monitor and manage access to your tools. By synchronizing user access data, Vanta helps ensure that only active employees retain access and that access is promptly removed when personnel leave—supporting automated compliance workflows, streamlined access reviews, and structured access requests.

Estimated setup time: Less than 10 minutes.

How it works

Vanta connects to Splunk (Cloud) and synchronizes user, role, and group data on a recurring basis. This data powers three key workflows within Vanta:

  1. Automated compliance tests - Vanta automatically verifies that accounts are linked to active employees and are deprovisioned when personnel leave the organization.

  2. Access Reviews - Synced users are surfaced in Vanta’s Access Reviews. Approvers can validate whether access remains appropriate, confirm least-privilege alignment, and generate audit-ready evidence.

  3. Access Requests - Entitlements from Splunk (Cloud) are imported into Vanta. Requesters can submit access requests for specific roles or access levels, approvers can review requests with context, and system administrators can track provisioning activity.

Use cases

Connecting Splunk (Cloud) to Vanta enables you to:

  • Monitor and manage personnel access to Splunk (Cloud)

  • Ensure that only active employees retain access to company systems

  • Simplify access reviews and support compliance requirements

Requirements

To connect this integration, you must have:

  • Access to the Splunk (Cloud) dashboard

  • The URL for your Splunk (Cloud) dashboard

  • A Splunk (Cloud) user account with roles that include the following capabilities:

    • edit_user

    • change_authentication

    • list_all_objects

  • An authentication token for a user with the required capabilities

  • Vanta’s outbound IP address added to the Search Head API Allow List

Best practice: We recommend creating a dedicated service account for the Vanta integration. Authentication tokens inherit the permissions of the user who generates them, and tying tokens to an individual account may disrupt the integration if that user’s access changes or is removed.

Connect the integration

When connecting Splunk (Cloud) to Vanta, you will be prompted to provide a Host Name and an Authentication Token.

  1. Enter the Host Name: The Host Name can be found in the base URL of your Splunk (Cloud) instance. These typically follow the format:

    https://<Host Name>.splunkcloud.com
    Enter the <Host Name> portion of the URL in the integration modal.

  2. Generate an Authentication Token: Next, generate an Authentication Token that Vanta will use to make authorized requests to the Splunk API and retrieve data required for compliance tests. Authentication tokens can be created under:

    Settings → Token in your Splunk (Cloud) dashboard.


    Selecting this tab should redirect you to a page listing existing tokens in your Splunk (Cloud) instance. If the Token Authentication feature is not enabled, you may be redirected to a page prompting you to enable it. If so, click Enable Token Authentication to proceed.

  3. (Optional) Configure Token Expiration Settings: Once Token Authentication is enabled, the Tokens page will display all created tokens.Tokens can be created immediately, but they typically include an expiration date. When tokens expire, users must renew them in Vanta. If desired, you can configure tokens to never expire:

    Navigate to Token Settings on the Tokens page:


    Update the Default Expiration field to never and click save to confirm your changes. This configuration is optional.

  4. Create a New Token: Regardless of expiration settings, click New Token to open the token creation modal.


    Tokens are assigned to a user and inherit that user’s capabilities.

    For the token to function properly, the associated user must have the following capabilities:

    acs_list_ip_allow_list

    change_authentication

    edit_user

    list_all_objects

    The sc_admin role typically includes these capabilities. Alternatively, you may create a custom role containing these specific capabilities.

    To create or edit a role:

    • Navigate to Settings → Roles

    • View existing roles on the Roles page

    • Click New Role to create a new role, or select an existing role to edit

    • Assign the required capabilities under the Capabilities section

  5. Complete Token Creation: In the New Token modal:

    • Enter a valid username in the User field

    • Enter any value in the Audience field

    • Click Create


    This will generate the Authentication Token that Vanta uses to retrieve account data from your instance.


    The generated token will be displayed only once in the Token field. Copy this value and enter it into the Authentication Token field in Vanta.


    After clicking Close, the modal will close and the new token will appear as enabled in the Tokens table.

  6. Add Vanta’s IP CIDR to the Search Head API Allow List: To allow Vanta to interact with your Splunk (Cloud) environment, you must add Vanta’s IP CIDR to the Search Head API IP Allow List. Splunk deploys features across configurable subnets. The Search API feature used by Vanta is not exposed to any subnet by default.

    To configure the allow list:

    • Navigate to Settings → Server Settings.

    • Select IP Allow List.

    • Click the Search Head API access tab.

    • Click + Add IP subnet, enter Vanta’s IP CIDR, and select Save to confirm.

    • The IP CIDR you have to add should be displayed in the linking modal.

  7. Validate the Connection: Return to the integration connection modal in Vanta. Click Validate and store to link your Splunk (Cloud) account to Vanta. If configuration is correct, you will see a confirmation screen indicating that the connection was successful.

Access capabilities

Resource

Supported

Usage

Users

Access Reviews, Access Requests, Automated Tests

Groups

Access Reviews, Access Requests

Role/Entitlements

Access Reviews, Access Requests

Last Login

Access Reviews, Access Requests

Permissions

The Splunk (Cloud) integration provides read-only access to your environment. Vanta does not create, modify, or delete any data in Splunk (Cloud).

Data access scope

Vanta can access the following data:

  • User Data: Used to confirm that only active employees retain system access and that terminated employees are deprovisioned promptly. In Access Requests, this allows Vanta to display available users when tracking or assigning access.

  • User Group Data: Used to validate least-privilege access and confirm that group-based access controls align with compliance requirements. In Access Requests, this enables approvers to see which groups grant access and map access levels to entitlements.

  • User Role and Entitlement Data: Used to ensure employees are assigned to appropriate roles, validate least-privilege access, and confirm that high-privilege roles (for example, admin or superuser) are granted only to authorized personnel. In Access Requests, this allows requesters to select from the correct set of roles and ensures approvers can review the specific level of access being requested.

Vanta does not have write permissions and cannot update any data in Splunk (Cloud).

Related articles

Troubleshooting FAQ

This section highlights common configuration issues that may occur during installation. It is not an exhaustive list of all possible errors, but focuses on the most frequent setup blockers.

Invalid Splunk (Cloud) Hostname

Splunk (Cloud) instances typically follow the format:

https://<Host Name>.splunkcloud.com

The Host Name field should contain only the <Host Name> portion of the URL. This error occurs when the value entered does not match the host name assigned to your Splunk (Cloud) instance.

The current user role/s is missing the acs_list_ip_allow_list capability

This error occurs when the current user role does not include the acs_list_ip_allow_list capability. Vanta checks your instance’s IP Allow List configuration through the API. This capability must be assigned to the user’s role to allow that validation.

Add the acs_list_ip_allow_list capability to the associated role and retry the connection.

Missing the following capabilities to guarantee that Vanta retrieves all the resources from your account

This error indicates that one or more required capabilities are not assigned to the user role.

The listed capabilities are necessary for Vanta to retrieve users, roles, and groups from your Splunk (Cloud) instance. Add the missing capabilities to the user role to resolve the issue.

Your Search API IP Allow List is not open for Vanta

This error occurs if Vanta’s IP CIDR has not been added to your Search Head API IP Allow List.

The error message will display the expected CIDR value that must be added. Update your IP Allow List configuration accordingly and retry the connection.

Splunk authentication token is invalid

This error occurs when Vanta is unable to authenticate with the Splunk API using the provided token.

Review the Authentication Token entered in Vanta and confirm that:

  • The token was copied correctly

  • The token is active

  • The token has not expired

Related Articles
Connecting Vanta & Addigy
Connecting Vanta & GitLab Self-Managed instance
Connect Vanta & Tailscale
Connecting Vanta & ZoomInfo
Connecting Vanta & Capsule