Sending SlashID Detections to Splunk
SlashID can forward real-time identity security detections directly to your Splunk Cloud environment using HTTP Event Collector (HEC). This guide walks you through the steps to configure Splunk and connect it with SlashID.
HEC does not work with Splunk trial accounts using port :8088,
due to issues with self-signed certificates.
Step 1: Create an HTTP Event Collector Token in Splunk Cloud
- Log in to your Splunk Cloud Platform instance.
- Navigate to Settings > Add Data.
- Click Monitor.
- Choose HTTP Event Collector.
- Click New Token.
Configure the token:
- Name: Enter a descriptive name, e.g.,
SlashID Detections. - Source name override: Use something like
slashid-detectionsto help identify incoming data. - [Optional] Description: Add a short note for future reference.
Do not enable indexer acknowledgment.
- Click Next.
- [Optional] Adjust the source type or select the desired index where events should be stored.
- Click Review, and then Submit to create the token.
It may take a few moments for the token to become active across your Splunk deployment.
Step 2: Collect Your Splunk Endpoint URL and Token
Once the token is created, note down the following:
Splunk HEC URL: Format:
https://{your-splunk-id}.splunkcloud.com/services/collector/eventToken: This will be shown after token creation.
Step 3: Configure SlashID to Send Detections
- In the SlashID Console, go to Identity Protection > Configuration > Connectors.
- Choose Add Connector and select Splunk from the list.
- Paste the Splunk HEC URL and token into the appropriate fields.
- Choose which types of detections or environments you want to sync.
- Save and activate the connector.
Once configured, SlashID will stream detection events (e.g., privilege escalation, credential misuse, lateral movement) to your Splunk instance in real time.
Need Help?
If you run into issues during setup or if your Splunk instance requires custom configuration (e.g., proxy, custom source types), reach out to support@slashid.dev.