Skip to content

NodeZero App for Splunk

The NodeZero App for Splunk automatically ingests pentest data from the Horizon3.ai NodeZero platform into Splunk. At a configurable polling interval, the app downloads pentest results and indexes them as structured JSON events.

The add-on supports three data types — weaknesses, hosts, and action logs — and maps weakness data to the Splunk CIM Vulnerability data model for use with Splunk Enterprise Security.

You can download the app from Splunkbase.

Version note

This page documents v3.0.0 of the NodeZero App for Splunk. If you are running v1.x or v2.x, see Version 2.x and Earlier below.

Requirements

  • Splunk Enterprise or Splunk Cloud 9.2 or later
  • Python 3.9 or later (bundled with Splunk)

Setup

Step 1: Get an API Key

Generate an API key from the NodeZero portal at portal.horizon3ai.com via Settings > API Keys. The API key grants read-only access to pentest results for your organization.

Step 2: Configure an Account

In the Splunk app, navigate to the Configuration tab and click Add on the Accounts sub-tab.

  • Name (required) — A short identifier for this account. Alphanumeric characters and underscores only.
  • Description (optional) — Notes about this API key (e.g., which environment it belongs to).
  • API Key (required) — Your NodeZero API key. Stored encrypted by Splunk's credential manager.
  • API URL (optional, v3.0.0+) — NodeZero API hostname. Defaults to api.horizon3ai.com (US commercial and Federal). Set to api.horizon3ai.eu for EU instances. Do not include the https:// prefix.

Step 3: Create an Input

Navigate to the Inputs tab and click Create New Input.

  • Name (required) — A short identifier for this input. Alphanumeric characters and underscores only.
  • Description (optional) — Notes about the input.
  • API Account (required) — Select the account configured in Step 2.
  • Polling Interval (required) — How often to poll for new data, in seconds. Default: 86400 (24 hours). Minimum: 3000 (50 minutes).
  • Pull Pentests After (optional, v3.0.0+) — Only ingest pentests scheduled after this date (YYYY-MM-DD format). Leave empty to pull pentests from the last 90 days.
  • Index (required) — The Splunk index to write events to.
  • Pull Hosts (optional, v3.0.0+) — Ingest host data from pentests. Enabled by default.
  • Pull Weaknesses (optional, v3.0.0+) — Ingest weakness data from pentests. Enabled by default.
  • Pull Action Logs (optional, v3.0.0+) — Ingest action log data from pentests. Enabled by default.

The input begins pulling data immediately after you save it.

Index Macro

The sample dashboard relies on a macro called h3_index. The default value is (), which searches the default index (usually main). If you are sending events to a different index, update the macro via Settings > Advanced Search > Search Macros to match your index (e.g., (index=my_nodezero_index)).

What Gets Indexed

The add-on creates events under three sourcetypes. In v3.0.0, all events are JSON-formatted with automatic field extraction.

Weaknesses (h3:nodezero:api:weakness_export_csv) — Vulnerabilities and misconfigurations discovered during pentests. Key fields: Name, Severity, ContextScore, IP, Hostname, RootCause, PortalUrl.

Hosts (h3:nodezero:api:host_export_csv) — Hosts discovered during pentests, including network attributes and weakness summaries. Key fields: IP, Hostname, OS, InScope, NumWeaknesses.

Action Logs (h3:nodezero:api:action_logs_export_csv) — Step-by-step records of what NodeZero did during each pentest. This is the most granular data type and typically the largest by volume. Key fields: ModuleName, Cmd, StartTime, IP.

Sourcetype change in v3.0.0

The action logs' sourcetype changed from h3:nodezero:api:action_logs (v1.x/v2.x) to h3:nodezero:api:action_logs_export_csv (v3.0.0). Host and weakness sourcetypes are unchanged across all versions.

Verify Data Is Being Indexed

`h3_index` | stats values(sourcetype) as st

You should see three sourcetypes:

h3:nodezero:api:action_logs_export_csv
h3:nodezero:api:host_export_csv
h3:nodezero:api:weakness_export_csv

CIM Compatibility

Weakness events are mapped to the Splunk Vulnerability data model via field aliases and eventtypes, enabling out-of-the-box correlation with other security tools in Splunk Enterprise Security.

Dashboards

The app includes a NodeZero Operations dashboard for viewing summary information across all pentests visible in Splunk, with drill-down into specific weaknesses and host-level action details.

In v3.0.0, a monitoring dashboard is also available at /app/nodezero/dashboard for tracking ingestion volume, event counts, and errors.

Troubleshooting

v3.0.0

Search the add-on's diagnostic logs:

index=_internal sourcetype="nodezero:log"

For broader troubleshooting including Splunk's own process logs:

index=_internal (sourcetype=splunkd nodezero component=ExecProcessor) OR sourcetype="nodezero:log"

Set the log level to DEBUG for more detail: go to the app's Configuration tab, select the Log Level sub-tab, and change the level. Remember to set it back to INFO after troubleshooting.

v2.x and Earlier

index=_internal (sourcetype=splunkd nodezero component=ExecProcessor) OR sourcetype="nodezero-*"

There is also a non-navigable dashboard at /en-US/app/nodezero/kvstore_state that shows the KVStore state for troubleshooting.

Upgrading from v1.x / v2.x

Version 3.0.0 includes breaking changes:

  • Action logs sourcetype changed from h3:nodezero:api:action_logs to h3:nodezero:api:action_logs_export_csv. Update any saved searches, dashboards, or alerts that reference the old name.
  • Host and weakness sourcetypes are unchanged.
  • Host and weakness events are now JSON instead of CSV. Field extraction works automatically without custom transforms.
  • API URL is now configurable — if you use a non-US NodeZero instance, update your account configuration after upgrading.

Version 2.x and Earlier

If you are running v2.x or v1.x of the app, the key differences are:

  • Account setup has only Name, Description, and API Key fields (no API URL).
  • Input setup has only Name, Description, API Account, Index, and Polling Interval fields (no date filter or data type toggles).
  • Action logs' sourcetype is h3:nodezero:api:action_logs (without the _export_csv suffix).
  • Host and weakness data is CSV-formatted (not JSON).
  • Troubleshooting logs use sourcetype="nodezero-*".
  • A KVStore debug dashboard is available at /en-US/app/nodezero/kvstore_state.

We recommend upgrading to v3.0.0 for significantly faster data ingestion, EU/FedRAMP region support, and improved reliability.

Support

Email splunk@horizon3.ai with any questions, comments, or concerns.