Views:

Configure the connector to enable sharing Trend Vision One XDR data with Splunk Cloud.

The Splunk HEC connector utilizes the HTTP Event Collector to send XDR data to Splunk Cloud. The connector supports connections to multiple Splunk Cloud instances.

Procedure

  1. Go to Workflow and AutomationThird-Party Integration.
  2. Click Splunk HEC Connector (SaaS/Cloud).
  3. Click + Connect Splunk HEC Server.
    The Splunk HEC Server Connection window appears.
  4. Configure the connection settings in the Splunk HEC Server Connection panel.
    Setting
    Description
    Firewall exceptions
    To make sure that Trend Vision One can communicate with your Splunk HEC server, add any FQDN/IP addresses displayed in the Splunk HEC Server Connection window to your firewall exceptions.
    Server address
    Specify the IP address or FQDN for your Splunk HEC server.
    Format
    Specify a format for the transferred data.
    Note
    Note
    Splunk HEC Connector (SaaS/Cloud) only supports JSON format.
    Protocol
    Select a connection protocol from the list.
    Port
    Select a port for the connection.
    Default port settings:
    • HTTP: 8088
    • HTTPS: 8088
    HEC token
    Specify the Splunk HTTP Event Collector token.
    Use CA certificate
    To use a CA certificate to connect to your Splunk HEC server, you can select Use CA certificate.
    Server requires client authentication
    To require a client authentication certificate, you can select Server requires client authentication.
  5. Configure the scope of data to send to Splunk Cloud by selecting from the following:
  6. Click Test Connection to verify if the settings are valid.
  7. Click Connect.
    The Splunk HEC server appears on the Splunk HEC Connector (SaaS/Cloud) screen.
  8. You can repeat the previous steps to add multiple Splunk HEC servers with their own data source configurations.
  9. You can use the edit_icon=GUID-1F1D1164-5310-4D6D-ACD0-6049C86960AF.png or trash_icon=GUID-47cf6867-6315-438e-8670-86ff36f22a28.png icons to modify or delete a server from the Splunk HEC Connector (SaaS/Cloud) screen.