Configuring the Threat Events Stream for Splunk via HTTP Event Collector

Jamf Protect Documentation

Solution

Application

Content Type

Technical Documentation

Utilities & Services

ft:locale

en-US

Requirements

Download and install the Jamf Protect Add-on.
Configure the HEC token in Splunk. For more information, see Configure HTTP Event Collector on Splunk Cloud Platform.
Note:
Leave the Enable indexer acknowledgment field deselected when you create the HEC token, as Jamf Security Cloud does not support this feature.
Configure an action configuration for each applicable event data type within Jamf Security Cloud.

In Jamf Security Cloud, navigate to Integrations > Data streams.
Click New configuration.
In the Create data stream configuration page, click the Threat events radio button.
Click the Generic HTTP radio button.
Click Continue.
In the HTTP connection configuration section, do the following:
1. Set the Protocol by clicking https or http.
2. In the Server Hostname/IP field, enter your Splunk hostname.
3. In the Port field, enter one of the following port values:
  - 8088 on Splunk Cloud Platform free trials
  - 443 by default on Splunk Cloud Platform instances
  - 8088 by default on Splunk Enterprise
4. In the Endpoint field, enter your HEC endpoint for JSON-formatted events.
  This will normally be services/collector/event or services/collector/raw.
In the Additional headers (optional) section, do the following:
1. In the Header name field, enter Authorization.
2. In the Header value field, enter previously created HEC token in the format Splunk {{Token}}.
  Example:
  Splunk 49AAF28E-C799-49A7-BF4C-DE8A20880ACD
Click Test configuration.
If the test is successful, you can enable the threat events stream by navigating to Integrations > Data streams and enabling the required Configuration name with the respective toggle button in the Status field.
Click Save.

Detected events are sent to your Splunk instance in real time.