Gather & add correlated searches in Splunk Enterprise Security to Drata

This story submits a correlated search job to Splunk Enterprise Security, polls for results, retrieves logging-related controls from Drata across multiple pages, and uploads the Splunk data as external evidence for each control; timestamped and scheduled for annual renewal.

What you'll see

• Submit a search job to Splunk's API targeting the notable index for correlated searches
• Poll the job status every five seconds until the search completes
• Send an email alert to an administrator if the search job fails, including the job ID
• Retrieve the full search results from Splunk in JSON format
• Paginate through logging-related security controls in Drata until all pages are collected
• Explode controls into individual events and upload Splunk results as external evidence in Drata, with a one-year renewal schedule

Perfect for

• GRC and compliance teams: Needing to map SIEM activity to specific Drata controls without manual exports or copy-pasting
• Security engineers: Maintaining a continuous, auditable evidence trail from Splunk across multiple compliance frameworks
• SOC teams: Responsible for demonstrating logging coverage during audits and needing timestamped proof of correlated search activity

Requirements

• Splunk Enterprise Security: API credentials with access to run and retrieve search jobs from the notable index
• Drata: API credentials with access to security controls and external evidence endpoints
• A configured Splunk resource with your instance information
• Basic familiarity with Splunk's search processing language (SPL) and Drata's control framework