TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM HEC
ENVIRONMENT: HTTP Event Collector
SUMMARY: Configuration Guide for Generic HTTP Event Collector
Overview
The Generic HTTP Event Collector (HEC) allows for the sending of application event and log data to Huntress over the HTTP and Secure HTTP (HTTPS) protocols. Upon successfully configuring a source and the Generic HTTP Event Collector, the source will send data to the Collector URL. Sources configured this way will not have ECS normalized fields or categories but will have base level JSON parsing.
Source Requirements
- The source must support token-based authentication.
- The source must send data in a JSON-formatted array with “event” as the top object.
Configuring the HTTP Event Collector
Authentication Token Creation
- Open the Huntress Portal
- Click on SIEM on the left navigation menu
- Click Source Management
- Click Add Source
- Choose Generic HEC
- Click Add
- Set Configuration Details
- Select the appropriate Organization from the dropdown
- Enter a unique name of the source
- (Optional) Enter a description for the source
- Click Save
- Record the HTTP Event Collector Token
- Note: Keep this secure as it is the equivalent of a password
Configuring the Source
Each log source will have it’s own unique configuration steps. However, as noted in the requirements section above it does need to support token-based authentication. If the source supports integration with Splunk’s HEC, the same mechanism and source configuration steps are supported by the Huntress HEC.
Huntress HEC URL:
- https://hec.huntress.io/services/collector
Additionally, we support listening on these additional URL's depending on the source service requirements:
- https://hec.huntress.io/services/collector/event
- https://hec.huntress.io/services/collector/raw