TEAM: Huntress Managed Security Information and Event Management (SIEM)
ENVIRONMENT: Huntress dashboard, your HEC or API configuration portal
SUMMARY: How to troubleshoot Huntress SIEM HEC or API integrations and the typical ways these integrations fail.
If your HEC or API based sources suddenly stop working, double check that the permissions inside your HEC or API source are still correct. Sudden stops to data ingestion are almost always related to a permissions change in the source.
Before you check any of the below, double check that your credentials/API keys were copy/pasted into your Huntress portal without any extra leading or trailing characters. A vast majority of issues with these sources stems from extra characters or copy/paste issues.
IP restrictions
If your API based solution restricts access based on IP please ensure Huntress IP's are allowed. These addresses are for traffic coming from our systems to your API source. This does not apply to HEC sources as that communication is 1 way from your source to Huntress. Please see our article on Required Firewall Settings to see the full list of IP's that must be allowed.
Loud vs quiet sources
Some sources do not send much data. Depending on how much traffic those systems are seeing and the level of events they log it's not unheard of for a new integration to take a few days before data starts showing up.
Copy/paste and typo errors
Typos and copy/paste issues are common reasons for integration failure. Often this will present as a permissions error when you attempt to setup the integration on the Huntress portal. It's extremely important when copying API keys, URLs, and API user names to only capture the exact text and none of the extra spaces or formatting before or after the data. You may find it helpful to copy/paste the data into a text editor that's not capable of formatting like Notepad and then copying that data into your source or Huntress portals.
You can verify the copied token is valid for HEC sources by running this curl command (replace TOKEN_GOES_HERE with your token):
curl https://hec.huntress.io/services/collector/event -H "Authorization: Splunk TOKEN_GOES_HERE" -d '{"event": "hello world"}'Within 30 minutes you should see a new GenericHEC source with a "hello world" message inside. This search done in your main SIEM page (account scope) should help:
from logs | where event.provider == "GenericHEC" | keep message
Navigating Huntress SIEM
Some API and HEC sources can only be viewed in the Account scope, if you don't see the Organizations tab at the top then you're likely in the Org-scope. Clicking the Huntress logo at the top right will allow you to change your scope. The recommended way to see all sources is to click on SIEM on the far left then select Source Management. Sorting this page by Source Type will help you quickly see all of these sources grouped by type as well as the last time the integration collected data.
Follow our guides carefully
Following our HEC guides or API guides very carefully as even one small error can completely prevent the integration from working. Pay special attention to the vendor information table as it often outlines exactly which products are supported. Also pay special attention to the creation of an API user (when applicable) as the permissions listed by Huntress documentation are the bare minimum required permissions for the integration to work.
Huntress User permissions
Only Account-level Admins can create new SIEM sources. Since most API and HEC sources are put in place at the account level, thus org-level users are unable to view these sources as that could reveal information about other organizations in your account.
Source is not supported
In some cases Huntress SIEM may store the data even if the product isn't supported. We can't offer product support or SOC-inspection for these sources, but you're welcome to store unsupported data.
If you don't see your source please make a request in our Feature Request page. This is a direct line to our Product and Engineering teams and is the best way to ensure your feedback is received by the right team.
If none of these suggestions resolved your issue, please reach out to Huntress support for assistance!