https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-push-or-pull-from-Enterprise-Security-notable-events/m-p/401183#M4552 <P>For number 2, I was thinking you would be writing a custom search command in Python. Thus, it wouldn't be doing it without coding.</P> <P>For this reason, I would try to get number three to work first.</P> Thu, 04 Oct 2018 21:18:14 GMT LukeMurphey 2018-10-04T21:18:14Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-push-or-pull-from-Enterprise-Security-notable-events/m-p/401180#M4549 <P>I have a scenario which I can explain with an example. I am implementing a 3rd party service which takes action based on notable events in Splunk Enterprise Security.</P> <P>For example, every time there is a new "Geographically Improbable Access Detected" notable event, I want to extract the user details and process them.</P> <P>What is the best way to get notified by Splunk?</P> <P>(1) Is it that I run a query remotely using Splunk REST API regularly for the relevant notable events?</P> <P>(2) Is there a way Splunk can invoke my REST end point every time there is a new relevant event?</P> <P>(3) Splunk alerts + webhook? (this way, I think I can get only first matching relevant event instead of all).</P> <P>Thanks a ton in advance</P> Wed, 26 Sep 2018 23:23:40 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-push-or-pull-from-Enterprise-Security-notable-events/m-p/401180#M4549 alpsholic 2018-09-26T23:23:40Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-push-or-pull-from-Enterprise-Security-notable-events/m-p/401181#M4550 <P>Here are some thoughts</P> <P><STRONG>(1) Is it I run a query remotely using Splunk REST API regularly for the relevant notable events?</STRONG></P> <P>You can do this by remotely a search. I wrote a script showing how this can be done using the Python library that is built into Splunk: <A href="https://gist.github.com/LukeMurphey/cbd8a4093e2a9e922038117cd4eceb00">https://gist.github.com/LukeMurphey/cbd8a4093e2a9e922038117cd4eceb00</A>. You ought to be able to reuse the get_notables() function to get what you need.</P> <P>You can also use the <A href="http://dev.splunk.com/view/python-sdk/SP-CAAAEE5">Splunk Python SDK</A> to do this.</P> <P><STRONG>(2) Is there a way Splunk can invoke my REST end point every time there is a new relevant event?</STRONG></P> <P>There are multiple ways you could do this. I think you could do this using a search command which would run in a search that examines the notable index (via the notable macro, <CODE>notable</CODE>).</P> <P>You can see an example of how to write a custom search command here: <A href="https://github.com/LukeMurphey/splunk-search-command-example">https://github.com/LukeMurphey/splunk-search-command-example</A></P> <P>In the end, you would have a search that looks something like this:</P> <PRE><CODE>`notable` | mysearchcommand </CODE></PRE> <P>You would want to make sure that the search does not overlap in execution in order to prevent it from processing the same results repeatedly.</P> <P><STRONG>(3) Splunk alerts + webhook? (this way, I think I can get only first matching relevant event instead of all).</STRONG></P> <P>If it were me, I would likely choose this route. I think this would avoid having to do any coding. I think you could get it trigger for each result by changing the value for the trigger to "For each result".</P> Thu, 27 Sep 2018 17:33:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-push-or-pull-from-Enterprise-Security-notable-events/m-p/401181#M4550 LukeMurphey 2018-09-27T17:33:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-push-or-pull-from-Enterprise-Security-notable-events/m-p/401182#M4551 <P>In (2) I did not get how Splunk can send the results to my REST end point by itself? Say something like, I tell Splunk "Send every new 'Geographically Improbable Access Detected' event to <A href="https://myapp.com/newevent">https://myapp.com/newevent</A>"??</P> Fri, 28 Sep 2018 00:26:18 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-push-or-pull-from-Enterprise-Security-notable-events/m-p/401182#M4551 alpsholic 2018-09-28T00:26:18Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-push-or-pull-from-Enterprise-Security-notable-events/m-p/401183#M4552 <P>For number 2, I was thinking you would be writing a custom search command in Python. Thus, it wouldn't be doing it without coding.</P> <P>For this reason, I would try to get number three to work first.</P> Thu, 04 Oct 2018 21:18:14 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-push-or-pull-from-Enterprise-Security-notable-events/m-p/401183#M4552 LukeMurphey 2018-10-04T21:18:14Z