Getting Data In

Vendor api token, but no add-on

mikefg
Path Finder

I have a vendor that will provide an api token so I can retrieve SIEM event data. There is no add-on available for this vendor that I can find. I will also want to make this data available to Splunk Enterprise Security.

The data will be available from the vendor using a path like this.
   https://siem.vendor.com/authapi/api/siem

The event data is intended to be used with a SIEM so it will be in fields like this.
   event_id=message source=threat ip=127.0.0.1

I'm assuming I will need to create an add-on, but have not done this before. Or is this a use case for the HTTP Event Collector?

Labels (1)
0 Karma

mikefg
Path Finder

It looks like HEC is the wrong way to go since it sends data from an application to Splunk. Is creating my own add-on the right way to go? 

0 Karma