Views:

Share XDR data with Splunk Cloud by configuring the Splunk HEC connector.

The Splunk HEC connector utilizes the HTTP Event Collector to send XDR data to Splunk Cloud. The connector supports connections to multiple Splunk Cloud instances.

Procedure

  1. Go to Workflow and AutomationThird-Party Integration.
  2. Click Splunk HEC Connector (SaaS/Cloud).
  3. Click the toggle to enable or disable the integration.
  4. Configure the scope of data you want to send to Splunk Cloud.
    Note
    Note
    Sending activity data requires Trend Vision One credits. Configure the data allowance for transferring activity data and manage credit allocation in the Credit Usage app.
  5. Configure the connection between Trend Vision One and your Splunk HEC server.
    1. Click Connect Splunk HEC Server.
    2. Configure the connection settings in the Splunk HEC Server Connection panel.
      Setting
      Description
      Firewall exceptions
      To ensure that Trend Vision One can properly communicate with your Splunk HEC server, configure the appropriate "Allow" rules in your firewall.
      Server address
      IP address or FQDN for your Splunk HEC server
      Format
      Data format
      Note
      Note
      Splunk HEC Connector (SaaS/Cloud) currently only supports JSON.
      Protocol
      Connection protocol
      Port
      Default port settings:
      • HTTP: 8088
      • HTTPS: 8088
      HEC Token
      Splunk Event Collector token
      Use CA certificate
      Uploads a CA certificate used to connect to your Splunk HEC server
      Server requires client authentication
      Uploads the client authentication certificate
    3. (Optional) Click Test Connection to verify if the settings are valid.
    4. Click Connect.
  6. Repeat the previous step to add multiple connection configurations for this integration.
  7. Click Save.