Splunk Enterprise Security

SIEM Platform Observability

Synopsis

The Splunk Enterprise Security target sends security telemetry to Splunk ES using the HTTP Event Collector (HEC) with security-optimized index configuration and CIM normalization. This target extends standard Splunk HEC configuration with security-specific data models and correlation search integration.

Schema

- name: <string>
  description: <string>
  type: splunksecurity
  properties:
    endpoints:
      - endpoint: <string>
        auth_type: <string>
        token: <string>
        secret: <string>
    index: <string>
    sourcetype: <string>
    source: <string>
    batch_size: <integer>
    timeout: <integer>
    tcp_routing: <boolean>
    use_compression: <boolean>
    insecure_skip_verify: <boolean>
    field_format: <string>
    debug:
      status: <boolean>
      dont_send_logs: <boolean>

Configuration

Base Target Fields

Field	Type	Required	Description
`name`	string	Y	Unique identifier for this target
`description`	string	N	Human-readable description
`type`	string	Y	Must be `splunksecurity`
`pipelines`	array	N	Pipeline names to apply before sending
`status`	boolean	N	Enable (true) or disable (false) this target

Splunk ES Connection

Field	Type	Required	Description
`endpoints`	array	Y	Array of Splunk HEC endpoint configurations
`endpoints[].endpoint`	string	Y	Splunk HEC URL (e.g., `https://splunk.example.com:8088/services/collector`)
`endpoints[].auth_type`	string	N	Authentication type (`token`, `secret`). Default: `token`
`endpoints[].token`	string	Y*	HEC token for authentication
`endpoints[].secret`	string	Y*	Bearer token from environment variable

* token required when auth_type is token, secret required when secret

Event Configuration

Field	Type	Required	Description
`index`	string	N	Default Splunk index (e.g., `main`, `security`, `notable`)
`sourcetype`	string	N	Default sourcetype for events
`source`	string	N	Default source for events

Batch Configuration

Field	Type	Required	Description
`batch_size`	integer	N	Number of events to batch before sending. Default: `10000`
`timeout`	integer	N	Connection timeout in seconds. Default: `30`

Connection Settings

Field	Type	Required	Description
`tcp_routing`	boolean	N	Enable TCP routing header. Default: `false`
`use_compression`	boolean	N	Enable GZIP compression. Default: `true`
`insecure_skip_verify`	boolean	N	Skip TLS certificate verification. Default: `false`

Normalization

Field	Type	Required	Description
`field_format`	string	N	Apply CIM normalization. Recommended: `ASIM` or custom

Debug Options

Field	Type	Required	Description
`debug.status`	boolean	N	Enable debug logging for this target
`debug.dont_send_logs`	boolean	N	Log events without sending to Splunk ES

Details

Security Index Configuration

Recommended Indexes:

main: Default index for general security events
security: Dedicated security events index
notable: Notable events generated by correlation searches
threat_activity: Threat intelligence indicators
audit: Audit trail and compliance events

Index Naming Conventions:

Use descriptive index names matching data categories
Separate indexes for different security zones
Configure index retention based on compliance requirements

Index Permissions

Ensure HEC token has write permissions for configured indexes. Configure index permissions in Splunk Settings � Data � HEC tokens.

CIM Normalization

Common Information Model (CIM):

Splunk's standard for field naming and categorization
Required for Enterprise Security correlation searches
Enables pre-built dashboards and reports
Provides consistent data model across sources

CIM Data Models:

Authentication: Login events, authentication failures
Network Traffic: Firewall logs, network sessions
Endpoint: Process execution, file modifications
Malware: Anti-virus detections, malware events
Intrusion Detection: IDS/IPS alerts
Change Analysis: Configuration changes, account modifications

Field Mapping:

src / dest: Source and destination systems
user / dest_user: User accounts
action: Event action (allowed, blocked, success, failure)
vendor_product: Vendor and product identification

Notable Events Integration

Notable Event Creation:

Correlation searches generate notable events
Notables stored in notable index
Events require CIM-compliant field mapping
Custom correlation searches reference specific sourcetypes

Event Classification:

Configure urgency field for event prioritization
Set security_domain for categorization
Include risk_object for entity risk scoring

Correlation Search Compatibility

Search Requirements:

Events must conform to CIM data models
Sourcetypes must map to CIM categories
Field extractions must match CIM field names
Time field (_time) required for all events

Custom Correlation Searches:

Reference specific sourcetypes in search queries
Use CIM-compliant field names in search logic
Configure search scheduling and trigger conditions

Performance Optimization

Batch Configuration:

Larger batches reduce HEC API calls
Balance batch size against indexing latency
Default batch_size: 10000 suitable for most workloads

Compression:

GZIP compression enabled by default
Reduces network bandwidth significantly
Minimal CPU overhead for compression

Load Balancing:

Configure multiple HEC endpoints for high availability
Events distributed randomly across endpoints
Automatic failover to available endpoints

HEC Token Limits

Splunk HEC has per-token throughput limits. For high-volume deployments, use multiple HEC tokens or increase token limits in Splunk configuration.

Security Best Practices

HEC Token Management:

Create dedicated HEC tokens for DataStream
Use separate tokens for different environments
Rotate tokens periodically
Disable unused tokens

TLS Configuration:

Always enable TLS for production deployments
Verify server certificates (insecure_skip_verify: false)
Use certificate pinning for enhanced security

Index Security:

Configure role-based access control for indexes
Separate indexes for different security zones
Enable audit logging for index access

Examples

Basic Security Events

Sending security events to Splunk Enterprise Security...

targets:
  - name: splunk-security
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: security
      sourcetype: datastream:security

With CIM Normalization

Applying custom normalization for CIM compliance...

targets:
  - name: splunk-es-normalized
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: security
      sourcetype: datastream:security:cim
      field_format: ASIM

Notable Events

Sending events to notable index for correlation search integration...

targets:
  - name: splunk-notables
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: notable
      sourcetype: datastream:notable
      source: DataStream

High-Availability Configuration

Multiple Splunk HEC endpoints for high availability...

targets:
  - name: splunk-es-ha
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk-hec1.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
        - endpoint: https://splunk-hec2.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
        - endpoint: https://splunk-hec3.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: security
      batch_size: 10000
      use_compression: true

Threat Intelligence

Forwarding threat intelligence indicators to Splunk ES...

targets:
  - name: splunk-threat-intel
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: threat_activity
      sourcetype: datastream:threatintel
      source: threat-feeds

Authentication Events

Sending authentication events with CIM-compliant sourcetype...

targets:
  - name: splunk-authentication
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: security
      sourcetype: datastream:auth
      batch_size: 5000

Production Configuration

Production-ready Splunk ES configuration with HA, compression, and security settings...

targets:
  - name: splunk-es-production
    type: splunksecurity
    properties:
      endpoints:
        - endpoint: https://splunk-hec1.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
        - endpoint: https://splunk-hec2.example.com:8088/services/collector
          token: "${SPLUNK_HEC_TOKEN}"
      index: security
      sourcetype: datastream:security:production
      source: datastream-director
      batch_size: 10000
      timeout: 30
      use_compression: true
      insecure_skip_verify: false
      field_format: ASIM

Synopsis​

Schema​

Configuration​

Base Target Fields​

Splunk ES Connection​

Event Configuration​

Batch Configuration​

Connection Settings​

Normalization​

Debug Options​

Details​

Security Index Configuration​

CIM Normalization​

Notable Events Integration​

Correlation Search Compatibility​

Performance Optimization​

Security Best Practices​

Examples​

Basic Security Events​

With CIM Normalization​

Notable Events​

High-Availability Configuration​

Threat Intelligence​

Authentication Events​

Production Configuration​