https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438432#M11404 <P>I have a SOC (Security Operation Center) that has an API to receive alert content from splunk（splunk version 6.4.4）.When the alert is triggered, I hope Splunk can send the alert contents to SOC API. So what way should I send the alert type to SOC API?<BR /> The fields and contents of each alert are different. In addition, it can be formatted as JSON?<BR /> Should I use the <CODE>Run a script</CODE> action? Is there a best way sent alert content to SOC API ?</P> Wed, 06 Jun 2018 02:35:57 GMT bestSplunker 2018-06-06T02:35:57Z https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438432#M11404 <P>I have a SOC (Security Operation Center) that has an API to receive alert content from splunk（splunk version 6.4.4）.When the alert is triggered, I hope Splunk can send the alert contents to SOC API. So what way should I send the alert type to SOC API?<BR /> The fields and contents of each alert are different. In addition, it can be formatted as JSON?<BR /> Should I use the <CODE>Run a script</CODE> action? Is there a best way sent alert content to SOC API ?</P> Wed, 06 Jun 2018 02:35:57 GMT https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438432#M11404 bestSplunker 2018-06-06T02:35:57Z https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438433#M11405 <P>Yes, you can use webhook and Specify an URL to send JSON payload via HTTP POST. Refer below documentation. </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/Webhooks">http://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/Webhooks</A></P> Wed, 06 Jun 2018 02:40:58 GMT https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438433#M11405 pradeepkumarg 2018-06-06T02:40:58Z https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438434#M11406 <P>@gpradeepkumarreddy ok, So My SOC system needs access result_link of json payload, then can get the alert content</P> Wed, 06 Jun 2018 02:59:24 GMT https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438434#M11406 bestSplunker 2018-06-06T02:59:24Z https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438435#M11407 <P>This is the other way around, Splunk posts the response to the URL you specify.</P> Thu, 07 Jun 2018 00:09:23 GMT https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438435#M11407 pradeepkumarg 2018-06-07T00:09:23Z https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438436#M11408 <P><CODE>Run a script</CODE> is a deprecated feature, though I don't believe that it is in version 6.4.4. I would suggest doing a future-proof way of handling this, though I'm not sure if version 6.4.4 has an alternative (it has been a while since I ran 6.4, but I believe that this functionality will go back to 6.3). In recent releases you can create an <CODE>custom alert action</CODE> and send any of the applicable data from the search to the API that you are using. It won't have to be a JSON string through a REST API if your API doesn't handle that. You can program any type of interface that you need. The custom alert action also has many UI advantages over the <CODE>Run a script</CODE> action. Here is some documentation that might prove helpful to you:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.4/AdvancedDev/ModAlertsIntro">http://docs.splunk.com/Documentation/Splunk/6.4.4/AdvancedDev/ModAlertsIntro</A></P> Thu, 07 Jun 2018 00:25:47 GMT https://community.splunk.com/t5/Alerting/Is-there-a-best-way-sent-alert-content-to-a-API-interface-of/m-p/438436#M11408 cpetterborg 2018-06-07T00:25:47Z