SafelineApp For Splunk

The SafeLine WAF app parses JSON syslog output from Chaitin SafeLine Web Application Firewall deployments and maps events to the Splunk Common Information Model. The app extracts approximately 70 fields per event, including HTTP request and response headers, attack metadata, client IP addresses, and WAF rule actions. Events are normalized to the Web, Network Traffic, Intrusion Detection, and Alerts CIM data models. The app provides 10 operational dashboards covering real-time monitoring, attack analysis, IP reputation scoring, bot detection, TLS fingerprint analysis, cross-site comparison, and compliance reporting. Seven pre-configured saved searches enable automated alerting on critical attack patterns, high-volume attackers, multi-site threats, mitigation rate degradation, and traffic anomalies. Workflow actions embedded in search results allow analysts to pivot to related events, drill down by site or attack rule, and launch OSINT lookups against external threat intelligence platforms.