LogoLogo
Anvilogic WebsiteProduct Documentation
  • Welcome to Anvilogic
  • What's New
    • What's new?
      • 6.x releases
      • 5.x releases
  • Get Started
    • Onboarding guide
      • Log in and set your password
      • Define your company's threat profile
      • Select your data repository and get data in
        • Integrate Splunk as your data repository
          • Download and install the Anvilogic App for Splunk
            • Splunk Cloud Platform
              • Verify requirements
              • Install the Anvilogic App for Splunk
            • Splunk Enterprise
              • Verify requirements
              • Download the Anvilogic App for Splunk
              • Install the Anvilogic App for Splunk
          • Create the Anvilogic indexes
          • Assign the avl_admin role
          • Configure the HEC collector commands
          • Connect to the Anvilogic platform
        • Integrate Snowflake as your data repository
          • Get data into Snowflake
      • Review data feeds
      • (Optional) Upload your existing detections
      • Review and deploy recommended content
      • Additional tasks
    • Reference Architectures
      • Anvilogic on Splunk Architecture
      • Anvilogic on Azure
      • Anvilogic on Snowflake Architecture
        • FluentBit
          • Linux data
          • Syslog data
          • Windows data
        • Fluentd
      • Anvilogic on Databricks Architecture
      • Hybrid - Anvilogic on Splunk & Snowflake Architecture
  • Anvilogic Free Trial
    • Introduction and Overview
    • Sign Up for Free Trial
    • Initial Setup
    • Detection Engineering Workflow
    • Explore the Armory
    • Building a Scenario-Based Detection
    • Create SQL Detections
    • MonteAI for SQL
    • Monte Copilot
      • Monte Copilot supported tools
      • Monte Copilot licensing
      • Monte Copilot privacy and controls
    • Set MITRE ATT&CK Priorities
    • Review Maturity Score
    • Further Exploration and Next Steps
  • Anvilogic Lab
    • Anvilogic Lab Intro
      • Create SQL Detections
      • MonteAI for SQL
      • MITRE & Detection Armory
      • Deploy New Detections
  • Security Controls
    • AI security controls
    • Monte Copilot & AI privacy and controls
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Get Started
  2. Onboarding guide
  3. Select your data repository and get data in
  4. Integrate Splunk as your data repository

Configure the HEC collector commands

Create a HEC token that can write to the custom indexes you just created.

Last updated 9 months ago

Was this helpful?

The Anvilogic App for Splunk contains a custom Splunk command that uses the HTTP Event Collector (HEC) to send results from threat identifiers into the events of interest index. This command is critical to the frameworks ability to store events for advanced correlation, and manages auditing on all objects.

More information on the HEC and how to set it up can be found in in the Splunk Enterprise Getting Data In manual.

Perform the following steps to create inputs on a single search head. Some steps may vary if you are managing a search head cluster.

  1. In Splunk Web, select Settings > Data inputs.

  2. Select HTTP Event Collector > New Token.

  3. Fill in relevant information:

    • Specify a name of avl_hec_token.

    • Leave the Source Name Override blank.

    • Enter HEC Input for Anvilogic Detection Framework as the description.

    • Leave the Output Group as none.

    • Leave the Enable indexer acknowledgement box unchecked.

  4. Click Next to configure the input settings:

    • Source type = Automatic

    • App Context = Anvilogic (anvilogic)

    • index = anvilogic AND index = anvilogic_metrics

    • Default Index = anvilogic

  5. Click Review, then click Submit.

  6. Copy the token value.

Perform the following steps to update the global settings and enable the tokens:

  1. In Splunk Web, select Settings > Data inputs.

  2. Select HTTP Event Collector > Global Settings.

  3. Ensure the following settings are enabled:

    • All Tokens: Enabled

    • Enable SSL - Check

    • HTTP Port Number = Default is 8088

Next step

Connect to the Anvilogic platform.

Configure HTTP Event Collector on Splunk Enterprise