TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: HTTP Event Collector (HEC)
ENVIRONMENT: NinjaRMM
SUMMARY: Configuration Guide for NinjaRMM. With this guide you can use Huntress to ingest webhooks directly from Ninja RMM, bypassing the need to use Splunk or another 3rd party HEC.
Vendor Information
| Vendor | NinjaOne |
|---|---|
| Supported Model Name/Number | N/A |
| Supported Software Version(s) | N/A |
| Collection Method | HTTP Event Collector |
| Provider Name | NinjaRMM |
| Additional Information | NinjaOne SIEM Integration Blog Guide |
Configuration Checklist
- In your Huntress Console, navigate to the SIEM -> Source Management page, then the Categories tab.
- Scroll to the RMM section and select View Details on the NinjaOne RMM source.
- Select the green Add button.
- Select an organization, then enter a name and description for the new NinjaOne source.
- Select Save.
- Record the HTTP Event Collector URL and Token for use in the following steps.
-
Start at step 2 on this NinjaOne SIEM Integration Blog Guide for setting up a HEC/Splunk integration. You can skip step 1 since Huntress will act as the collector, instead of Splunk.
Important Notes:
- Log into NinjaOne as a System Administrator.
- Use the "https://hec.huntress.io/services/collector/raw" endpoint
- Step 5 and 6 in the NinjaOne blog post above are vital to turning on the required Notification Channel (i.e. webhook). If you don't get a code 204 during that step a webhook won't be added. Read the "In Conclusion" section in the NinjaOne blog post to verify a webhook was setup. Please do not change the name of the webhook inside "Notification channels".
-
Include "Splunk <copied token>" under headers -> value. Here's an example of the headers field (replace the numbers with your HEC token from Huntress):
"headers": [
{
"name": "Authorization",
"value": "Splunk 12345678910"
}
]
Additional Information
With a single NinjaOne RMM integration, a single Huntress organization can be mapped to a single NinjaOne organization, or the entire NinjaOne account. Users will need to decide whether to set up individual organization-to-organization integrations, or to use a single account-wide NinjaOne integration to a single Huntress organization.
Each configured NinjaOne RMM source in the Huntress console counts as one Managed SIEM Data Source if it has sent data in the last 30 days. A single account-wide NinjaOne integration configured as one NinjaOne RMM source in Huntress is therefore one Data Source, while separate NinjaOne RMM sources configured per organization (org-to-org) are each a separate Data Source.
For more info on Data Source billing, check out our Managed SIEM Billing and Retention guide.
In early FY26 we'll be enhancing the integration to support account-to-account integrations.