Hi @JonaM,

there's a common answer to your questions: all depends on your requisites because with Splunk you can do almost everything, I try to answer to your questions, but anyway:

1. To which version and products of Splunk we should make the integration? is it a generic integration to all of them and we only need to switch platform, or it's different for each one?

Oviously always the last version (9.0.1 for Splunk Enterprise),about products they depends on your scope:

• if you want a SIEM, you need Enterprise Security,
• if you need observability and IT Operations, you need ITSI,
• if you need infrastructure monitoring, you need Splunk Enteprise and various app for your infrastructure (Cisco, firewall, etc...)

Integration, in few words, is ingesting your logs in Splunk Enterprise and using them in the above apps.

Then you can integrate the Splunk infrastructure with your infrastructure e.g. for authentication (integration with LDAP/AD), alerts managing (with Phantom), case opening (with your troubleticketing platform), etc...

     2. How should we send the data to Splunk? we thought about syslog, is there any other recommended way?

Splunk has many solution for data ingestion, syslog is one of them and not the more efficient:

• Agent (Splunk UNiversal Forwarder) the most efficient,
• syslog,
• WMI,
• DB-Connect (SQL Query) for DBs,
• HTTP Event Collector (for custom applications), etc...

for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/WhatSplunkcanmonitor 

     3. What kind of data is most recommended that we send for Splunk? 

all text data and more (from csv files to DB tables), they depends on what you want to monitor.

     4. Can we create rules and actions through the integration with Splunk? (e.g WAF rule)

You can create all the rules you need (Correlations searches) using the ingested data.

     5. What is the best practice to make the integration and test it? should we raise a Splunk environment, if so which one and those Splunk have any support for this processes?

The best practice is to find a system integrator of your trust and with it define the requisites for your project, then you could build it togheter.

Additionally I would like to understand whether we need to send data differently if the type of data is different, for example, let's assume I'm sending both vulnerabilities and anomalies, should I send both of them to the same place? or there is different location for each one of them.

All the data are ingested and indexed in Splunk Enterprise with modes that depends on access rights and retentions, thes all these data can be used to answer to your requisites.

Ciao.

Giuseppe