Splunk Enterprise Security

SIEM Platform Observability

Synopsis

The Splunk Enterprise Security target sends security telemetry to Splunk ES using the HTTP Event Collector (HEC) with security-optimized index configuration and CIM normalization. This target extends standard Splunk HEC configuration with security-specific data models and correlation search integration.

Schema

- name: <string>
  description: <string>
  type: splunksecurity
  pipelines: <pipeline[]>
  status: <boolean>
  properties:
    endpoints:
      - endpoint: <string>
        auth_type: <string>
        token: <string>
        secret: <string>
    index: <string>
    source_type: <string>
    source: <string>
    batch_size: <integer>
    timeout: <integer>
    tcp_routing: <boolean>
    use_compression: <boolean>
    insecure_skip_verify: <boolean>
    field_format: <string>
    interval: <string|numeric>
    cron: <string>
    debug:
      status: <boolean>
      dont_send_logs: <boolean>

Configuration

Base Target Fields

Field	Type	Required	Description
name	string	Y	Unique identifier for this target
description	string	N	Human-readable description
type	string	Y	Must be splunksecurity
pipelines	array	N	Pipeline names to apply before sending
status	boolean	N	Enable (true) or disable (false) this target

Splunk ES Connection

Field	Type	Required	Description
endpoints	array	Y	Array of Splunk HEC endpoint configurations
endpoints[].endpoint	string	Y	Splunk HEC URL (e.g., https://splunk.example.com:8088/services/collector)
endpoints[].auth_type	string	N	Authentication type (token, secret). Default: token
endpoints[].token	string	Y*	HEC token for authentication
endpoints[].secret	string	Y*	Bearer token from environment variable

* token required when auth_type is token, secret required when secret

Event Configuration

Field	Type	Required	Description
index	string	N	Default Splunk index (e.g., main, security, notable)
source_type	string	N	Default sourcetype for events
source	string	N	Default source for events

Batch Configuration

Field	Type	Required	Description
batch_size	integer	N	Number of events to batch before sending. Default: 10000
timeout	integer	N	Connection timeout in seconds. Default: 30

Connection Settings

Field	Type	Required	Description
tcp_routing	boolean	N	Enable TCP routing header. Default: false
use_compression	boolean	N	Enable GZIP compression. Default: true
insecure_skip_verify	boolean	N	Skip TLS certificate verification. Default: false

Normalization

Field	Type	Required	Description
field_format	string	N	Data normalization format. See applicable Normalization section

Scheduler

Field	Type	Required	Description
interval	string/numeric	N	Execution frequency. See Interval for details
cron	string	N	Cron expression for scheduled execution. See Cron for details

Debug Options

Field	Type	Required	Description
debug.status	boolean	N	Enable debug logging for this target
debug.dont_send_logs	boolean	N	Log events without sending to Splunk ES

Details

HEC Modes: JSON and RAW

The target supports both JSON and RAW HEC ingestion modes, determined by the endpoint URL path. An endpoint URL ending in /services/collector/event (or the default /services/collector) uses JSON mode. An endpoint URL ending in /services/collector/raw uses RAW mode, sending events as plain text with metadata passed as query parameters.

Endpoint URLs can include a query parameter to define a named stream. For example, https://splunk.example.com:8088/services/collector/raw?firewall creates a stream named firewall using RAW mode. Named streams allow routing different event types through separate HEC paths within a single target configuration.

Security Index Configuration

Recommended Indexes:

• main: Default index for general security events
• security: Dedicated security events index
• notable: Notable events generated by correlation searches
• threat_activity: Threat intelligence indicators
• audit: Audit trail and compliance events

Index Naming Conventions:

• Use descriptive index names matching data categories
• Separate indexes for different security zones
• Configure index retention based on compliance requirements

Index Permissions

Ensure HEC token has write permissions for configured indexes. Configure index permissions in Splunk Settings � Data � HEC tokens.

CIM Normalization

Common Information Model (CIM):

• Splunk's standard for field naming and categorization
• Required for Enterprise Security correlation searches
• Enables pre-built dashboards and reports
• Provides consistent data model across sources

CIM Data Models:

• Authentication: Login events, authentication failures
• Network Traffic: Firewall logs, network sessions
• Endpoint: Process execution, file modifications
• Malware: Anti-virus detections, malware events
• Intrusion Detection: IDS/IPS alerts
• Change Analysis: Configuration changes, account modifications

Field Mapping:

• src / dest: Source and destination systems
• user / dest_user: User accounts
• action: Event action (allowed, blocked, success, failure)
• vendor_product: Vendor and product identification

Examples

Basic Security Events

Sending security events to Splunk Enterprise Security...

targets: - name: splunk-security type: splunksecurity properties: endpoints: - endpoint: https://splunk.example.com:8088/services/collector token: "${SPLUNK_HEC_TOKEN}" index: security source_type: datastream:security

With CIM Normalization

Applying custom normalization for CIM compliance...

targets: - name: splunk-es-normalized type: splunksecurity properties: endpoints: - endpoint: https://splunk.example.com:8088/services/collector token: "${SPLUNK_HEC_TOKEN}" index: security source_type: datastream:security:cim field_format: "cim"

Notable Events

Sending events to notable index for correlation search integration...

targets: - name: splunk-notables type: splunksecurity properties: endpoints: - endpoint: https://splunk.example.com:8088/services/collector token: "${SPLUNK_HEC_TOKEN}" index: notable source_type: datastream:notable source: DataStream

High-Availability Configuration

Multiple Splunk HEC endpoints for high availability...

targets: - name: splunk-es-ha type: splunksecurity properties: endpoints: - endpoint: https://splunk-hec1.example.com:8088/services/collector token: "${SPLUNK_HEC_TOKEN}" - endpoint: https://splunk-hec2.example.com:8088/services/collector token: "${SPLUNK_HEC_TOKEN}" - endpoint: https://splunk-hec3.example.com:8088/services/collector token: "${SPLUNK_HEC_TOKEN}" index: security batch_size: 10000 use_compression: true

Threat Intelligence

Forwarding threat intelligence indicators to Splunk ES...

targets: - name: splunk-threat-intel type: splunksecurity properties: endpoints: - endpoint: https://splunk.example.com:8088/services/collector token: "${SPLUNK_HEC_TOKEN}" index: threat_activity source_type: datastream:threatintel source: threat-feeds

Authentication Events

Sending authentication events with CIM-compliant sourcetype...

targets: - name: splunk-authentication type: splunksecurity properties: endpoints: - endpoint: https://splunk.example.com:8088/services/collector token: "${SPLUNK_HEC_TOKEN}" index: security source_type: datastream:auth batch_size: 5000

Production Configuration

Production-ready Splunk ES configuration with HA, compression, and security settings...

targets: - name: splunk-es-production type: splunksecurity properties: endpoints: - endpoint: https://splunk-hec1.example.com:8088/services/collector token: "${SPLUNK_HEC_TOKEN}" - endpoint: https://splunk-hec2.example.com:8088/services/collector token: "${SPLUNK_HEC_TOKEN}" index: security source_type: datastream:security:production source: datastream-director batch_size: 10000 timeout: 30 use_compression: true insecure_skip_verify: false field_format: "cim"