P0 App Documentation
Sign up for FreeSandbox
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
      • πŸ“¦AWS
        • Requesting Access
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Integrate P0 with Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • πŸ”ŒSIEM Integrations
      • Splunk HEC Setup
  • P0 Management
    • 🎩Role-Based Access Control
Powered by GitBook
On this page
  • Prerequisites
  • Setup Splunk HEC Token
  • Configuring Splunk HEC Token
  1. Integrations
  2. SIEM Integrations

Splunk HEC Setup

Integration to send p0 audit logs to splunk instance.

PreviousSIEM IntegrationsNextRole-Based Access Control

Last updated 3 months ago

This topic describes how to set up P0's integration for Splunk HEC (Http Event Collector) exporter. It contains the following sections:

Prerequisites

  • Existing P0 account at

  • Splunk Instance Admin Role

  • Public-facing Splunk instance with HEC endpoint secured by an SSL certificate.

    • The SSL certificate must be signed by a trusted Certificate Authority (CA) to ensure secure communication. Self-signed certificates are not allowed by P0 Security.

  • Splunk HEC Token

Setup Splunk HEC Token

This setup takes about 5 minutes.

  1. Navigate to "Integrations" on , then select "Splunk" under "Security Information & Event Managers" section. Choose the "HTTP Event Collector" component:

  2. Click on "Add Token" to install.

  3. Enter an unique custom identifier for token and click "Next":

Configuring Splunk HEC Token

Endpoint:

HTTPS endpoint with valid SSL certificate. The instance port number required to form the url can be found in the "Global Settings" within the HEC Settings page.

example: https://hec.example.com:8088/

Token:

Tokens are 32 character GUIDs that let logging agents and HTTP clients connect to the HEC input.

Congratulations! You are now set up with Splunk audit logs integration.

Enter the desired configuration and click "Finish" to complete the installation. See the for information about the settings.

Refer to the official Splunk documentation for detailed instructions: .

πŸ”Œ
Set up HTTP Event Collector
configuration section
p0.app
p0.app
Prerequisites
Setup Splunk HEC Token
Configure Splunk HEC Token