Splunk HEC Connector Configuration

Share XDR data with Splunk Cloud by configuring the Splunk HEC connector.

Important:

This is a “Pre-release” feature and is not considered an official release. Please review the Pre-Release Disclaimer before using the feature.

The Splunk HEC connector utilizes the HTTP Event Collector to send XDR data to Splunk Cloud. The connector supports connections to multiple Splunk Cloud instances.

  1. Go to Workflow and Automation > Third-Party Integration.
  2. Click Splunk HEC Connector (SaaS/Cloud).
  3. Click the toggle to enable or disable the integration.
  4. Configure Data Scope.

    • Workbench alerts

    • Observed Attack Techniques

      • Risk Level

  5. Configure the connection between Trend Vision One and your Splunk HEC server.
    1. Click Connect Splunk HEC Server.
    2. Configure the connection settings in the Splunk HEC Server Connection panel.

      Setting

      Description

      Firewall exceptions

      To ensure that Trend Vision One can properly communicate with your Splunk HEC server, configure the appropriate "Allow" rules in your firewall.

      Server address

      IP address or FQDN for your Splunk HEC server

      Format

      Data format

      Note:

      Splunk HEC Connector (SaaS/Cloud) currently only supports JSON.

      Protocol

      Connection protocol

      Port

      Default port settings:

      • SSL/TLS: 6514

      • TCP: 601

      • UDP: 514

      HEC Token

      Splunk Event Collector token

      Use CA certificate

      Uploads a CA certificate used to connect to your Splunk HEC server

      Server requires client authentication

      Uploads the client authentication certificate
    3. (Optional) Click Test Connection to verify if the settings are valid.
    4. Click Connect.
  6. Repeat the previous step to add multiple connection configurations for this integration.
  7. Click Save.
Parent topic: Third-Party Integration