Does the use of HECs require traversing the public internet to get data into Splunk? Example, if my customer was the government and the data passed through Firehose into Splunk is to not touch the internet.
I think there are some more questions that need to be asked around the requirements. Splunk Enterprise(if so, hosted where?) or Splunk Cloud? If it is Splunk Cloud, I imagine FedRAMP/GovCloud might be required?
In either case, I believe that the data stream from Firehose to Splunk is encrypted if configured properly, whether it traverses the public internet is another question.