---
title: "HTTP Event Collector (HEC) Integration"
slug: "hec-integration"
description: "Learn how to integrate the HTTP Event Collector (HEC) with Traceable to securely stream real-time API security data to Splunk and CrowdStrike. This guide covers prerequisites, setup steps, API credential generation, and notification configuration for seamless SIEM/SOAR integration and centralized visibility into API threats."
tags: ["CrowdStrike Splunk", "HTTP Event Collector", "SIEM Integration", "SIEM SOAR Platforms", "Splunk", "Third Party Integrations"]
updated: 2026-01-12T12:50:29Z
published: 2026-01-12T12:50:29Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt
> Use this file to discover all available pages before exploring further.

# HTTP Event Collector (HEC) Integration

****Updates ( July 2025 to September 2025)****

- *September 2025*— Updated the topic to add a new HEC-supported SIEM platform, **CrowdStrike**, to better monitor and analyze threats in Traceable. For more information, see [Generate the API Credentials from your SIEM platform](/docs/hec-integration#generate-the-api-credentials-from-your-siem-platform)**.**

The HTTP Event Collector (HEC) is a secure, token-based system that allows sending logs, events, and other relevant data without requiring additional software installation or login credentials. It simplifies integration, eliminates the need for agents, supports structured data, such as JSON, and enables users to monitor and respond to issues quickly.

Traceable automatically streams real-time data to the external platform, supporting seamless monitoring, analysis, and alerting. This enables you to send and collect data quickly and safely from anywhere, providing real-time visibility and actionable insights. Traceable currently integrates with the following SIEM platforms, **Splunk** and **CrowdStrike**, through HEC to deliver real-time API security data. This ensures that API-specific insights, including attack patterns, anomalies, and sensitive data risks, are streamed directly into the SIEM platform for centralized visibility. Traceable provides a seamless, secure, and scalable way to connect API security intelligence with enterprise security workflows by forwarding data through HEC. This integration connects Traceable events with threat data, helping teams investigate faster and strengthen overall response efforts.

> [!NOTE]
> **Note**
> 
> - HEC is available for Splunk and CrowdStrike integration. For more information, see [Generate the API Credentials from your SIEM platform](/docs/hec-integration#generate-the-api-credentials-from-your-siem-platform).
> - HEC is available across all environments.

---

## What will you learn in this topic?

By the end of this topic, you will be able to:

- Understand the need for HTTP Event Collector (HEC).
- Understand the prerequisites for the **CrowdStrike** or **Splunk** integration.
- Understand the steps to add a new HEC integration with Traceable.
- Understand the steps to set up a notification channel to receive updates about HEC.

---

## Before you begin

Make a note of the following before proceeding with the integration:

- (For *Splunk* only) Make sure that you have the HTTP Event Collector (HEC) URL and the API token from the Splunk platform. For more information, see [Generate the API Credentials from your SIEM platform](/docs/hec-integration#generate-the-api-credentials-from-your-siem-platform).
- (For *CrowdStrike* only) Make sure that you have the HTTP Event Collector (HEC) URL and the API token from the CrowdStrike platform. For more information, see [Generate the API Credentials from your SIEM platform](/docs/hec-integration#generate-the-api-credentials-from-your-siem-platform).

---

## **Generate the API Credentials from your SIEM platform**

Traceable allows you to integrate with the following SIEM platforms:

SplunkCrowdStrike

Splunk SIEM gives you real-time monitoring and early threat detection so your team can identify issues quickly, respond faster, and stay ahead of modern threats. By using the Splunk HTTP Event Collector (HEC), you can send Traceable alert notifications over HTTP or HTTPS directly into Splunk, where your operations team can easily review and take the necessary actions. Traceable automatically sends threat activity and detection events to Splunk for analysis and investigation. This integration simplifies monitoring and gives your team a single place to capture and respond to critical security events quickly.

To fetch the *HTTP Event Collector URL* and the *API token*for Traceable integration, see [Configure HTTP Event Collector on Splunk Cloud Platform](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.1/get-data-with-http-event-collector/set-up-and-use-http-event-collector-in-splunk-web#ariaid-title4) and follow the steps. Now, you can use this *API token*and *URL* for HEC integration. For more information, see [Add New HTTP Event Collector Integration](/docs/hec-integration#step-1-—-add-new-http-event-collector-integration).

Traceable integrates with CrowdStrike via its SIEM/SOAR integration. CrowdStrike is a cloud-native platform that centralizes threat data and uses AI-driven analytics to detect and respond to security incidents. It helps us provide deep API security insights such as attack patterns, anomalous behaviors, and sensitive data exposure. This enables faster incident response, improved correlation with enterprise-wide threats, and a stronger overall security posture.

To fetch the*API Key (Token)*and the*API URL* for integrating with Traceable, log in to your CrowdStrike account and complete the following steps:

1. Navigate to **Data Connectors** → **Data Connections** in Falcon.

![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/image-20250520-120507 (3).png)
2. Select **HEC/HTTP Event Collector**, and click**Configure**.

![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Data_connectors_CrowdStrikw.png)
3. Under**Add new connector** provide the **Connector details** and **Parser details** to configure it.
  1. Specify a suitable **data source** name, for example, *traceable*.
  2. Specify a **connector name**, for example, *traceable-http-collector*.
  3. Select *kv (Generic Source)* as the **Parsers**, and click **Save**.

![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/image-20250520-120902 (1)(1).png)
4. Click **Regenerate API Key**to fetch the *API key*.

![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/image (6) (1)(2).png)
5. Copy the *API URL*****and the *API Key*required for the integration. For more information, see [CrowdStrike URL and API Token Generation](https://developer.crowdstrike.com/docs/openapi/).

![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/API_KEY_CrowdStrike.png)

You can now use this *API key( token)* and the *API URL* for setting up the HEC integration. For more information, see [Add New HTTP Event Collector Integration](/docs/hec-integration#step-1-—-add-new-http-event-collector-integration).

---

## **Set up the integration**

The HTTP Event Collector (HEC) integration is configured to receive data over HTTP(s). You can set up this integration to allow Traceable to send security events directly to Splunk or CrowdStrike for real-time threat detection. To set up the integration, complete the following steps:

### Step 1 — Add New HTTP Event Collector Integration

Log in to your Traceable account, navigate to **Integrations** ( ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/2025-07-09_12-58-50.png) ), and do one of the following:

- Under All Integrations, search for *HTTP Event Collector*in the search bar.
- Under All Integrations, navigate to**SIEM/SOAR** → **HTTP Event Collector**.

![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Traceable_hec_add_new_integration_window.png)

Add new HEC integration

In the **Add New HTTP Event Collector****Integration******window, complete the following steps:

1. Specify the **Integration Name**, for example, *HTTP Event Collector*.
2. (Optional) Specify the******Description**, for example, *SIEM/SOAR int*.
3. Select either of the following**from the **SIEM platforms**drop-down.
  1. [Splunk (HEC)](/docs/hec-integration#generate-api-credentials-from-your-siem-platform-for-hec-integration)
  2. [Crowdstrike Logscale](/docs/hec-integration#generate-api-credentials-from-your-siem-platform-for-hec-integration)
4. Specify the **URL of the** **HTTP Event Collector** fetched from the above chosen SIEM platform. For more information, see [Before You Begin](/docs/hec-integration#before-you-begin) section.
5. Specify the **HTTP Event Collector API Token**fetched from the above chosen SIEM platform. For more information, see [Before You Begin](/docs/hec-integration#before-you-begin) section.

> [!NOTE]
> Note
> 
> It is mandatory to provide a token while configuring this integration in Traceable.
6. Click **Test Connection**. Traceable validates the*URL* and the *API Token*. Once the validation succeeds, click **Save**.

---

### **Step****2 —****Creat****e a notification****channel**

You must create a notification channel to receive notifications when an event is triggered. To create a channel, log in to your Traceable account, navigate to **Settings******(![traceable_icon_settings](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_icon_settings.png)) → **Notifications** → **Create Channel**, and complete the following steps:

![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Traceable_notification_HEC_toggle enabled_create_channel_window(1).png)

Create Channel

1. Specify a name for the channel, for example, *HEC_Channel.*
2. Enable the **HTTP Event Collector Webhook** toggle. For more information, see [Notifications](https://docs.traceable.ai/docs/notification#step-1-create-a-channel).
3. Once you have enabled the toggle, click **Save**.

---

### **Step****3 —****Set up****a notification rule**

Traceable sends a notification through the channel when an event matches the selected category and type. It allows you to be notified if any rule you create triggers an event. To set up the notification, log in to your Traceable account, navigate to **Settings (**![traceable_icon_settings](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_icon_settings.png)**)**→ **Notifications** → **Create****Notification**, and complete the following steps:

![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Traceable_HEC_create_notification.png)

Create Notification

1. Specify a **Name** for your notification, for example, *HEC_notif.*
2. Select **Who should receive this notification** from the drop-down, for example, *Channel Based*.
3. Select the **Channel** that you created in [Step 2](/docs/hec-integration#step-2-—-create-a-notification-channel) above, from the drop-down, for example, *HEC_Channel*.
4. Select the **Category** from the drop-down. For more information, see[Notifications](https://docs.traceable.ai/docs/notification#step-2-create-a-notification-rule).
5. Select the **Threat Types** according to your requirements.
6. Select **All Environments**under **Environments**.
7. Click **Save**.

Once you have completed these steps, proceed to the [demo](/docs/hec-integration#try-the-interactive-hec-demo) for a hands-on interactive walkthrough of your HEC integration set up.

---

## Demo and Example

The following interactive demo walks you through the steps to navigate, integrate the HTTP Event Collector (HEC) with Traceable, and create channel notifications.

[Embedded content](https://demo.arcade.software/2uuIPsC5qyjD2pgD3weh)

After you configure the integration, Traceable monitors your application traffic and detects security events. When it identifies a threat, it generates a notification and sends the event data via the HTTP Event Collector (HEC).

## Related

- [Notifications](/notifications.md)