Security information and event management systems offer a view of logs and data associated with an app with additional insights. Configure the Miro app for Splunk to access Miro logs from Splunk and get data visualization and an overview of your data insights.
Available for: Enterprise plan
Set up by: Company Admins
On the Miro end
Generate access token
In your Miro Enterprise settings page go to Company settings > Enterprise Integrations and scroll down to SIEM.
SIEM in Enterprise Integrations settings
Once you enable the toggle, you can copy the access token or generate a new one.
Access token for SIEM
⚠️ The integration is tied to the team with the largest number of users. It's not possible to choose a different team here but do note that the integration will be working for the whole account and the integration-relevant events will be shown for the whole account in your Audit logs.
If the toggle has been enabled by another Admin, you will not have the option to copy the token. However, you will still be able to deactivate the integration.
The message shown to other Company Admins if the toggle has been enabled
On the Splunk end
Install Miro app
From your Splunk dashboard you can go to manage Apps by clicking on the settings icon as follow:
Manage apps icon
Then on the Apps page click on Browse more apps:
Browse more apps button
Now you can search for the Miro App for Splunk and proceed with the installation by clicking on Install:
Installing Miro app for Splunk
As a first step in the installation, you will be required to enter your credentials and agree with the terms and conditions. Then click on Login and Install:
Accepting terms and conditions
After the app has been installed you might be required to restart Splunk, click on Restart now.
Configure Miro app
Once the Miro app is installed you can see it on the Splunk dashboard, to configure it click on Miro App for Splunk:
Miro app for Splunk
First of all, you need to add your Miro Enterprise account, for that go to Configuration > Miro Account and click on Add:
Adding Miro account
Once the connection between Splunk and Miro is completed make sure that Logging > Log level has the following default value:
Log level
Once you finished with the Configuration, proceed to create a new Input for your connector, for that go to Inputs tab and click on Create New Input:
Creating new input
Enter a representative Name for your new Input, define the Interval you want Splunk to fetch data from Miro (by default is every 60 seconds), select the Miro account you added in the previous step, and click on Add:
Creating new input
Please double check that the Input is Enabled, from that moment onwards Splunk will start receiving audit logs from Miro.
Checking the status
How to use Search
If you’re interested in which events are being sent to Splunk or you want to check the logs you can go to the Search tab:
-
For Audit logs events, you can filter by
source="miro_audit_logs"and you will see a list of audit logs that were fetched from Miro in the specified time slot:
Miro Audit logs in Splunk
-
For Logs, you can filter by
index="_internal" sourcetype="miroappforsplunk:log"and you will see the list of logs in the specified time slot for the Miro app:
Miro Logs in Splunk
Data visualization
Splunk provides you two basics data visualizations to have an overview of your data insights:
-
User Activity: where you can find an overview of your user’s events in Miro accounts. These are:
-
Amount of Events over time, by team and total.
-
Board Events: boards created, boards opened and total.
User activity
-
-
Security Activity: where you can find an overview of your user events in Miro accounts. These are:
-
Login activity: the amount of successful and failed sign-ins.
-
Sharing events: list of users events when sharing boards.
Security activity
-
Deactivating SIEM
To invalidate the access token, go to Miro Company settings > Enterprise Integrations and scroll down to SIEM. If you disable the toggle, you will see the warning message.
Deactivating SIEM