Turning Burp Scanner vulnerabilities into Splunk events


Share on facebook
Share on twitter
Share on linkedin


Splunk is a fully featured, powerful platform for collecting, searching, monitoring, and analyzing machine data. It is widely used by Security Operation Center (SOC) teams to provide advanced security event monitoring, threat analytics, incident response, and cyber threat management.

Burp Suite is a must-have web application attack proxy tool used by security analysts around the world to perform penetration testing against web applications. Burp provides its users the possibility to extend its functionalities through the Burp Extender API.

To merge the best of both worlds, we developed a Burp extension named ActiveEvent to facilitate the integration of web application vulnerability management with SOC operations.

The plugin

ActiveEvent is a Burp Suite plugin that continuously monitors the Burp scanner for new security issues. As soon as the scanner reports new vulnerabilities, the plugin parses the results, transforms and sends them in form of events directly into the Splunk management interface using the HTTP Event Collector functionality.

This plugin allows both the SOC and penetration test teams to integrate their process of web application security assessment and Log management to extract useful information.

The plugin allows both the SOC and penetration test teams to do better data fusion by integrating their processes (web application security testing and log management). The core idea is that the log management team can immediately benefit from the results produced by the penetration testing team for its daily activities.

Configuring ActiveEvent

ActiveEvent has to connect to Splunk in order to convert vulnerabilities in forms of events. This action can be achieved by accessing Splunk’s HTTP Event Collector through the web management interface by clicking on Menu> Data Input> Http Event Collector > New Token. Follow the necessary steps to generate the token.

splunk 01
splunk 02

The previous steps will generate a token that should be used as a command line argument in Burp:

java -XX:MaxPermSize=1G -jar burp.jar 8088 ‘xxx-yyy-api-key’
This syntax will load Burp Suite and inform through these parameters the Splunk IP address, TCP port (default is 8088), and API token value.

As soon as Burp starts, go to Extender Tab > Options > Ruby Environment and specify the path to your JRuby jar file. Next in the Extender Tab > Extensions > Add, choose Ruby as an extension type and specify the path to this plugin.

When loaded successfully, you should see the following output:


burp active event 01


Using ActiveEvent

While the analysts perform their normal web application security assessments, the plugin will silently obtain the results produced by the scanner and send them to Splunk, in such a way the SOC team can use this information to improve their correlation work.

The image below shows this process.


burp active event 02

The vulnerabilities found during scanning will be available in form of events in Splunk.


burp 08 1


Obtain useful data from Splunk

Since the scanner results are already on the Splunk interface, it is possible to configure the field extractor functionality and map the main fields like vulnerability, severity, url, etc.

With the field extractor results, it is quite simple to obtain a variety of information.

  • Top 10 vulnerabilities found:


splunk 01 stats


  • Top 10 vulnerable URLs:


splunk 02 stats


  • Severity statistics:


splunk 03 stats

Furthermore, the SOC team can use the provided data to correlate them with real-time analysis and improve their efficiency in attack classification.


1. ActiveEvent https://github.com/blazeinfosec/ActiveEvent

2. Burp APIhttps://portswigger.net/burp/extender/api/

3. Splunk Http Event Collector


About the author

Blaze Labs

Blaze Labs


Ready to take your security
to the next level?

We are! Let’s discuss how we can work together to create strong defenses against real-life cyber threats.

Stay informed, stay secure

Subscribe to our monthly newsletter

Get notified about new articles, industry insights and cybersecurity news