Configure the connector to enable sharing Trend Vision One XDR data with Splunk Cloud.
The Splunk HEC connector utilizes the HTTP Event Collector to send XDR data to Splunk
Cloud. The connector supports connections to multiple Splunk Cloud instances.
Procedure
- Go to .
- Click Splunk HEC Connector (SaaS/Cloud).
- Click + Connect Splunk HEC Server.The Splunk HEC Server Connection window appears.
- Configure the connection settings in the Splunk HEC Server Connection panel.SettingDescriptionFirewall exceptionsTo make sure that Trend Vision One can communicate with your Splunk HEC server, add any FQDN/IP addresses displayed in the Splunk HEC Server Connection window to your firewall exceptions.Server addressSpecify the IP address or FQDN for your Splunk HEC server.FormatSpecify a format for the transferred data.
Note
Splunk HEC Connector (SaaS/Cloud) only supports JSON format.ProtocolSelect a connection protocol from the list.PortSelect a port for the connection.Default port settings:-
HTTP: 8088
-
HTTPS: 8088
HEC tokenSpecify the Splunk HTTP Event Collector token.Use CA certificateTo use a CA certificate to connect to your Splunk HEC server, you can select Use CA certificate.Server requires client authenticationTo require a client authentication certificate, you can select Server requires client authentication. -
- Configure the scope of data to send to Splunk Cloud by selecting from the following:
-
Workbench alerts
-
Events
-
Observed Attack Techniques (requires specifying event severity)
-
All detections
-
-
Container vulnerabilities
-
Activity data (requires specifying scope)
Note
Sending activity data requires Trend Vision One credits. Configure the data allowance for transferring activity data and manage credit allocation in the Credits & Billing app.
-
- Click Test Connection to verify if the settings are valid.
- Click Connect.The Splunk HEC server appears on the Splunk HEC Connector (SaaS/Cloud) screen.
- You can repeat the previous steps to add multiple Splunk HEC servers with their own data source configurations.
- You can use the or icons to modify or delete a server from the Splunk HEC Connector (SaaS/Cloud) screen.