Export alerts to Splunk HEC SIEM

You can export alerts from Corelight Investigator (Investigator) directly to a Splunk HTTP Event Collector (Splunk HEC) instance. This integration allows you to forward alerts for analysis within your Splunk environment. The process requires configuring a HEC instance in Splunk and then setting up the alert export integration in Investigator.

Prerequisites

  • An operational Splunk Cloud or Splunk Enterprise instance.

  • An operational Corelight Investigator instance.

  • Splunk HEC Credentials: You must have the HEC URL and Token available from your Splunk instance.

  • Investigator Permissions: You must have administrator access in Corelight Investigator to configure alert exports. Analyst-level users can only view existing configurations.

  • Firewall configuration: If your firewall restricts inbound traffic, you need to create a rule to allow HTTPS (port 443) traffic from the Corelight Investigator source IP address for your region. This rule allows Investigator to successfully export alerts and data to your systems.

    Add the IP address that corresponds to your region to your firewall’s allowlist:

    • North America (us-west-2): 35.81.184.144

    • Europe (eu-central-1): 35.157.240.249

    • Middle East (me-south-1): 40.172.28.44

    • Asia Pacific (ap-southeast-2): 3.25.53.116

Important

  • Alert Duplication: Be aware that if you have already configured log export on one or more sensors, exporting alerts from Investigator will duplicate some notice and Suricata alerts.

  • The Splunk user interface and configuration steps are subject to change by Splunk. This guide is based on the interface at the time of publication.

Step 1: Configure the HTTP Event Collector in Splunk

Enable the HTTP Event Collector (HEC) in your Splunk instance and create a new token to obtain the Token and URL required for the Investigator configuration.

For complete, step-by-step instructions on this process, see the Splunk documentation: Enable HTTP Event Collector.

Step 2: Configure the Alert Exporter in Investigator

After you have the HEC Token and URL from Splunk, follow these steps in Investigator.

  1. From System Settings in the left navigation, choose Integrations and click the Alert Exports tab.

  2. Click Splunk HEC.

  3. Toggle Enabled to the On position.

  4. Provide a Name for the exporter.

  5. Provide the following information about your HEC instance:

    1. URL: Enter the API URL generated when setting up the new connector in Splunk. Do not to enter the full URL in this field – exclude the /services/collector portion of the URL and only include the host information. (Investigator automatically adds /services/collector to the URL when exporting.) For example, https://<splunk-url-info>.splunkcloud.com is a valid entry.

    2. Token: Enter the API key (token) generated when setting up the new connector in Splunk.

    3. Splunk Index: Enter a value for the destination index.

  6. Optionally, enable Verify SSL (recommended). This ensures a secure connection by verifying the certificate and hostname provided by the exporter. If you enable this option, the certificate must be current, issued by a trusted issuer, and the hostname must be present in the certificate.

  7. Click Save.

Step 3: Verify the connection

After saving the exporter, confirm that data is flowing correctly from Investigator to Splunk.

  1. Wait for a new alert to be generated naturally within Corelight Investigator.

  2. In Splunk, navigate to the Search & Reporting app.

  3. Run a search query to find your data, specifying the index you configured for the HEC token.

    index="your_index_name" sourcetype="_json"

You should see new JSON-formatted events from Corelight alerts appear in the search results. This confirms the connection is working.

Step 4: Use the data in Splunk

Once alert data is flowing into Splunk, you can use the Splunk Search Processing Language (SPL) to search, visualize, and create dashboards. You can build panels that correlate Corelight’s rich network data with other log sources or create custom dashboards and alerts to monitor for specific threats identified by Corelight’s detection packages.

For more information, see the Splunk documentation.