I have a vendor that will provide an api token so I can retrieve SIEM event data. There is no add-on available for this vendor that I can find. I will also want to make this data available to Splunk Enterprise Security.
The data will be available from the vendor using a path like this. https://siem.vendor.com/authapi/api/siem
The event data is intended to be used with a SIEM so it will be in fields like this. event_id=message source=threat ip=127.0.0.1
I'm assuming I will need to create an add-on, but have not done this before. Or is this a use case for the HTTP Event Collector?
It looks like HEC is the wrong way to go since it sends data from an application to Splunk. Is creating my own add-on the right way to go?