Skip to main content

How to Integrate Reality Defender with Splunk SIEM Integration (v1)

This guide covers streaming Reality Defender RealMeeting or RealScan detection events into Splunk SIEM via HTTP Event Collector (HEC).

Written by Wen Huang

Overview

Reality Defender can forward detection results from RealMeeting (live meeting analysis) and RealScan (file-based analysis) into your Splunk SIEM using Splunk’s HTTP Event Collector (HEC).

This enables:

  • Centralized monitoring and correlation in Splunk

  • Alerting workflows in Splunk ES / your SOC dashboards

  • A full audit trail of detection outcomes linked back to Reality Defender

What you’ll receive in Splunk

Reality Defender sends structured JSON events to your Splunk HEC endpoint. Each event includes:

  • event.external_id — a unique identifier that links back to the full result in the Reality Defender dashboard

  • event.conclusion — detection outcome (typically AUTHENTIC, ARTIFICIAL, or INCONCLUSIVE)

  • event.probability — a confidence score (0.0–1.0)

  • event.metadata — additional metadata (for RealMeeting, this includes participant + segment-level scan information)

All events include:

  • source: realitydefender

  • sourcetype: _json

Prerequisites

1) Create a Splunk HEC token

In Splunk:

  1. Go to Settings → Data inputs → HTTP Event Collector

  2. Create a New Token

  3. Set Source type to _json

  4. Copy the token value (you’ll share this with Reality Defender)

2) Identify your HEC endpoint URL

Your HEC endpoint is typically:

  • https://<your-splunk-host>:8088/services/collector/event

If your Splunk instance is behind a firewall/VPN, coordinate with your network team to allow inbound traffic from Reality Defender. Your Reality Defender account team can provide the required IP information if needed.

Activation

Enabling the integration is a collaborative process:

  1. You create a HEC token and identify the HEC endpoint URL.

  2. You share the HEC endpoint URL and token with your Reality Defender account team via a secure channel.

  3. Reality Defender provisions the integration for your organization.

  4. Reality Defender runs a test scan and confirms events appear in your Splunk index.

  5. Your team builds Splunk dashboards/alerts as desired.

Event examples

RealScan (file-based) example

{
  "time": "17XXXXXXXXX",   
  "event": {     
    "external_id": "<external_id>",     
    "conclusion": "AUTHENTIC",     
    "probability": 0.03,     
    "metadata": null   
  },   
  "source": "realitydefender",   
  "sourcetype": "_json" 
}

​View in Reality Defender dashboard:

  • https://app.realitydefender.ai/v2/media/<external_id>

Replace <external_id> with the real value from the Splunk event.

RealMeeting (live meetings) example

{   
  "time": "17XXXXXXXXX",   
  "event": {     
    "external_id": "<external_id>",     
    "conclusion": "ARTIFICIAL",     
    "probability": 0,     
    "metadata": {       
      "participant_id": "<participant_id>",       
      "scans": [         
        {           
          "sessionId": "<external_id>",
          "participantId": "<participant_id>",
          "scanId": "<scan_id>",
          "segmentId": "<segment_id>",
          "status": "PROCESSING",
          "ensemble": null,
          "createdAt": "2026-03-25T21:51:17.945Z",
          "updatedAt": "2026-03-25T21:51:17.945Z",           
          "id": "<external_id>-<participant_id>-<scan_id>-<segment_id>"
        },         
        {
          "sessionId": "<external_id>",
          "participantId": "<participant_id>",
          "scanId": "<scan_id>",
          "segmentId": "<segment_id>",
          "status": "FINISHED",
          "ensemble": {
            "score": 0.9759469589115146,
            "decision": "ARTIFICIAL"
          },
          "createdAt": "2026-03-25T21:51:14.806Z",
          "updatedAt": "2026-03-25T21:51:18.932Z",
          "id": "<external_id>-<participant_id>-<scan_id>-<segment_id>"
        }
      ]
    }
  },
  "source": "realitydefender",
  "sourcetype": "_json"
}

View in Reality Defender dashboard:

  • https://app.realitydefender.ai/v2/real-meeting/<external_id>

Replace <external_id> with the real value from the Splunk event.

Notes on RealMeeting metadata

  • metadata.participant_id identifies the meeting participant associated with the result.

  • metadata.scans contains segment-level scan records (for example, individual video segments).

  • A scan segment may be PROCESSING initially and later become FINISHED once the ensemble result is available.

  • When a segment is finished, ensemble may include:

    • score (0.0–1.0)

    • decision (e.g. AUTHENTIC / ARTIFICIAL)

Sample Splunk searches

All Reality Defender events

source=realitydefender | table time, event.external_id, event.conclusion, event.probability

Artificial detections only

source=realitydefender event.conclusion=ARTIFICIAL | sort -time

High-confidence artificial detections (score > 0.85)

source=realitydefender event.conclusion=ARTIFICIAL event.probability>0.85

RealMeeting results by participant

source=realitydefender event.metadata.participant_id=* | table time, event.external_id, event.metadata.participant_id, event.conclusion

Support

If you have questions or encounter issues:

When reaching out, please include:

  • Your organization name

  • Your Splunk HEC endpoint URL

  • Which Splunk index you expect events to land in (if applicable)

Related Articles
How to Integrate Reality Defender with Amazon Connect
How to Integrate Reality Defender with Genesys Cloud AudioHook
Did this answer your question?