Splunk HEC integration
Pencheff sends every finding as an HEC event with sourcetype
pencheff:finding so it indexes cleanly alongside your other security
telemetry.
Setup
- In Splunk: Settings → Data inputs → HTTP Event Collector → New Token.
- Allow
_jsonsource type, assign to your security index. - Copy the token and HEC URL (e.g.
https://splunk.example.com:8088/services/collector/event). - In Pencheff: Dashboard → Integrations → Connect → Splunk. Paste both, save.
Via API
POST /integrations
{
"kind": "splunk",
"name": "prod-splunk",
"severity_filter": "medium",
"config": {
"hec_url": "https://splunk.example.com:8088/services/collector/event",
"token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
}Via MCP
export_to_splunk(session_id=sid, hec_url="...", token="...")Event shape
Each HEC line is an event:
{
"time": 1729516423.5,
"sourcetype": "pencheff:finding",
"source": "pencheff",
"host": "pencheff",
"event": {
"id": "...",
"title": "...",
"severity": "critical",
"cvss_score": 9.8,
"cvss_vector": "CVSS:3.1/...",
"category": "injection",
"owasp": "A03: Injection",
"endpoint": "https://example.com/...",
"evidence": [...],
"remediation": "...",
"compliance": { "PCI-DSS": ["6.5.1"], ... }
}
}Splunk query examples
# Top targets by severity
sourcetype=pencheff:finding event.severity IN ("critical","high")
| stats count by event.endpoint
# Critical findings over time
sourcetype=pencheff:finding event.severity=critical
| timechart count by event.owasp