Skip to main content

Splunk Enterprise Security

SIEM Platform Observability

Synopsis

The Splunk Enterprise Security target sends security telemetry to Splunk ES using the HTTP Event Collector (HEC) with security-optimized index configuration and CIM normalization. This target extends standard Splunk HEC configuration with security-specific data models and correlation search integration.

Schema

- name: <string>
  description: <string>
  type: splunksecurity
  pipelines: <pipeline[]>
  status: <boolean>
  properties:
    endpoints:
      - endpoint: <string>
        auth_type: <string>
        token: <string>
        secret: <string>
    index: <string>
    source_type: <string>
    source: <string>
    batch_size: <integer>
    timeout: <integer>
    tcp_routing: <boolean>
    use_compression: <boolean>
    insecure_skip_verify: <boolean>
    field_format: <string>
    debug:
      status: <boolean>
      dont_send_logs: <boolean>

Configuration

Base Target Fields

FieldTypeRequiredDescription
namestringYUnique identifier for this target
descriptionstringNHuman-readable description
typestringYMust be splunksecurity
pipelinesarrayNPipeline names to apply before sending
statusbooleanNEnable (true) or disable (false) this target

Splunk ES Connection

FieldTypeRequiredDescription
endpointsarrayYArray of Splunk HEC endpoint configurations
endpoints[].endpointstringYSplunk HEC URL (e.g., https://splunk.example.com:8088/services/collector)
endpoints[].auth_typestringNAuthentication type (token, secret). Default: token
endpoints[].tokenstringY*HEC token for authentication
endpoints[].secretstringY*Bearer token from environment variable

* token required when auth_type is token, secret required when secret

Event Configuration

FieldTypeRequiredDescription
indexstringNDefault Splunk index (e.g., main, security, notable)
source_typestringNDefault sourcetype for events
sourcestringNDefault source for events

Batch Configuration

FieldTypeRequiredDescription
batch_sizeintegerNNumber of events to batch before sending. Default: 10000
timeoutintegerNConnection timeout in seconds. Default: 30

Connection Settings

FieldTypeRequiredDescription
tcp_routingbooleanNEnable TCP routing header. Default: false
use_compressionbooleanNEnable GZIP compression. Default: true
insecure_skip_verifybooleanNSkip TLS certificate verification. Default: false

Normalization

FieldTypeRequiredDescription
field_formatstringNData normalization format. See applicable Normalization section

Scheduling

See Scheduling and Pool Behavior for interval and cron fields shared by all targets.

Debug Options

FieldTypeRequiredDescription
debug.statusbooleanNEnable debug logging for this target
debug.dont_send_logsbooleanNLog events without sending to Splunk ES

Details

HEC Modes: JSON and RAW

The target supports both JSON and RAW HEC ingestion modes, determined by the endpoint URL path. An endpoint URL ending in /services/collector/event (or the default /services/collector) uses JSON mode. An endpoint URL ending in /services/collector/raw uses RAW mode, sending events as plain text with metadata passed as query parameters.

Endpoint URLs can include a query parameter to define a named stream. For example, https://splunk.example.com:8088/services/collector/raw?firewall creates a stream named firewall using RAW mode. Named streams allow routing different event types through separate HEC paths within a single target configuration.

Security Index Configuration

Recommended Indexes:

  • main: Default index for general security events
  • security: Dedicated security events index
  • notable: Notable events generated by correlation searches
  • threat_activity: Threat intelligence indicators
  • audit: Audit trail and compliance events

Index Naming Conventions:

  • Use descriptive index names matching data categories
  • Separate indexes for different security zones
  • Configure index retention based on compliance requirements
Index Permissions

Ensure HEC token has write permissions for configured indexes. Configure index permissions in Splunk Settings � Data � HEC tokens.

CIM Normalization

Common Information Model (CIM):

  • Splunk's standard for field naming and categorization
  • Required for Enterprise Security correlation searches
  • Enables pre-built dashboards and reports
  • Provides consistent data model across sources

CIM Data Models:

  • Authentication: Login events, authentication failures
  • Network Traffic: Firewall logs, network sessions
  • Endpoint: Process execution, file modifications
  • Malware: Anti-virus detections, malware events
  • Intrusion Detection: IDS/IPS alerts
  • Change Analysis: Configuration changes, account modifications

Field Mapping:

  • src / dest: Source and destination systems
  • user / dest_user: User accounts
  • action: Event action (allowed, blocked, success, failure)
  • vendor_product: Vendor and product identification

Examples

Basic Security Events

Sending security events to Splunk Enterprise Security...

targets:
  - name: splunk-security
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: security
      source_type: datastream:security

With CIM Normalization

Applying custom normalization for CIM compliance...

targets:
  - name: splunk-es-normalized
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: security
      source_type: datastream:security:cim
      field_format: "cim"

Notable Events

Sending events to notable index for correlation search integration...

targets:
  - name: splunk-notables
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: notable
      source_type: datastream:notable
      source: DataStream

High-Availability Configuration

Multiple Splunk HEC endpoints for high availability...

targets:
  - name: splunk-es-ha
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk-hec1.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
        - endpoint: https://splunk-hec2.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
        - endpoint: https://splunk-hec3.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: security
      batch_size: 10000
      use_compression: true

Threat Intelligence

Forwarding threat intelligence indicators to Splunk ES...

targets:
  - name: splunk-threat-intel
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: threat_activity
      source_type: datastream:threatintel
      source: threat-feeds

Authentication Events

Sending authentication events with CIM-compliant sourcetype...

targets:
  - name: splunk-authentication
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: security
      source_type: datastream:auth
      batch_size: 5000

Production Configuration

Production-ready Splunk ES configuration with HA, compression, and security settings...

targets:
  - name: splunk-es-production
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk-hec1.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
        - endpoint: https://splunk-hec2.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: security
      source_type: datastream:security:production
      source: datastream-director
      batch_size: 10000
      timeout: 30
      use_compression: true
      insecure_skip_verify: false
      field_format: "cim"