Configure the HEC collector commands

The Anvilogic App for Splunk contains a custom Splunk command that uses the HTTP Event Collector (HEC) to send results from threat identifiers into the events of interest index. This command is critical to the frameworks ability to store events for advanced correlation, and manages auditing on all objects.

More information on the HEC and how to set it up can be found in Configure HTTP Event Collector on Splunk Enterprise in the Splunk Enterprise Getting Data In manual.

Perform the following steps to create inputs on a single search head. Some steps may vary if you are managing a search head cluster.

1. In Splunk Web, select Settings > Data inputs.

2. Select HTTP Event Collector > New Token.

3. Fill in relevant information:

   • Specify a name of avl_hec_token.

   • Leave the Source Name Override blank.

   • Enter HEC Input for Anvilogic Detection Framework as the description.

   • Leave the Output Group as none.

   • Leave the Enable indexer acknowledgement box unchecked.

4. Click Next to configure the input settings:

   • Source type = Automatic

   • App Context = Anvilogic (anvilogic)

   • index = anvilogic AND index = anvilogic_metrics

   • Default Index = anvilogic

5. Click Review, then click Submit.

6. Copy the token value.

Perform the following steps to update the global settings and enable the tokens:

1. In Splunk Web, select Settings > Data inputs.

2. Select HTTP Event Collector > Global Settings.

3. Ensure the following settings are enabled:

   • All Tokens: Enabled

   • Enable SSL - Check

   • HTTP Port Number = Default is 8088

Next step

Connect to the Anvilogic platform.