TL;DR
When a container is compromised, the SOC needs the full picture of what happened and fast. The problem is that runtime security data from cloud native workloads often lives outside Splunk, in a separate tool the analyst must pivot to at exactly the wrong moment. Aqua’s integration with Splunk solves this by streaming its runtime detections directly into Splunk, so the signals Aqua generates at the point of execution, where attacks actually happen, become part of the same investigation workflow rather than a separate stop.
What does the Aqua integration with Splunk do?
Security teams investigating incidents across cloud native environments face a telemetry gap. Network, endpoint and identity data is already in Splunk, but the runtime behavior happening inside containers, the blocked processes, the policy violations, the compliance failures, often is not. That missing layer forces analysts out of their workflow at the exact moment speed matters most.
Aqua operates at the point of execution, detecting and containing threats in real time, at machine speed, directly inside running workloads. The integration with Splunk takes those workload-level signals and places them inside the same dataset the SOC already works with. Aqua streams its audit and security events directly to Splunk through Splunk’s HTTP Event Collector, and an optional Aqua Security App adds prebuilt dashboards built specifically around that data, so teams have a starting point for analysis without building searches from scratch.
How does it work?
The integration works through Splunk’s HTTP Event Collector, which acts as the receiving endpoint for events Aqua sends.
On the Splunk side, an admin sets up the collector and generates a service token.
On the Aqua side, that token, along with the HEC URL and port for the environment, is entered under Administration, Integrations, Log Management, Splunk. The right port depends on the Splunk deployment: Aqua’s setup guide references 8008, Splunk Enterprise commonly uses 8088, and Splunk Cloud has its own HEC endpoint format. Once configured, teams can apply an audit event filter to control exactly which events get forwarded, then test the connection and start streaming.
If the optional Splunk App is installed, an Aqua Security icon appears in Splunk that opens a dashboard populated with the events Aqua has been sending.
What does this mean for Aqua customers?
Most SIEM integrations provide log forwarding, but the Aqua + Splunk integration provides enforcement context. Aqua does not just observe what is happening inside a workload; it acts on it. Blocked process executions, detected drift, Advanced Malware Protection findings, Process Lineage chains, and Container Memory Forensics captures are the kinds of signals Aqua generates at the point of attack. When those events flow into Splunk, the SOC is working from active control data rather than a visibility-only picture of the cloud native environment.
- Runtime enforcement lands where investigations happen. When Aqua blocks a suspicious process or detects drift inside a container, that event arrives in Splunk alongside network, endpoint and identity data from the same host. Analysts get the full picture immediately, without switching tools at the moment it matters most.
- Workload-level signals cut through the noise. Aqua’s runtime context filters out vulnerability noise in favor of what is actually happening in production. The events that flow into Splunk reflect real behavior, real policy violations, and real enforcement actions, not a dump of scan findings.
- Compliance findings join the long-term record. Failed CIS benchmarks, vulnerability scan failures and non-compliant images are captured in Splunk and feed into the audit and reporting workflows that already run there, rather than living only inside Aqua.
Where does this matter most?
- Incident triage. A blocked process or policy violation from Aqua appears in Splunk next to everything else happening on that host at that moment. Analysts see Aqua’s enforcement action alongside network and identity telemetry, collapsing the time between detection and response.
- Forensic investigation. Aqua’s Process Lineage maps the entire execution chain within a container. When those events are already in Splunk alongside the rest of the event timeline, investigators can reconstruct exactly what happened without hunting across separate systems.
- Audit and compliance reporting. Runtime findings from Aqua become part of Splunk’s long-term record, supporting the retention and reporting requirements that compliance teams are already tracking there, with the added weight of enforcement-backed evidence rather than scan results alone.
What do you need to get started?
The Splunk integration is generally available today for Aqua customers. To set it up, you need Splunk admin access to create an HTTP Event Collector and Aqua admin access to configure the integration under Administration, Integrations. The Aqua Security App for Splunk is optional and can be installed separately to add prebuilt dashboards.
Customers can follow the guide in Aqua Docs (login required) to get started or request a demo to see the Aqua and Splunk integration live.
Yes. When configuring the integration in Aqua, you can apply an audit event filter so only the events you care about are forwarded.
No. The core integration sends events to Splunk on its own. The Splunk App is an optional add on that provides prebuilt dashboards for that data.
