Alerting

Can the webhook payload for an alert be configured?

strayhud
New Member

Is it possible to configure the webhook payload for an alert? I would like to send alerts to BigPanda which requires the payload to contain a specific set of tags in JSON format. There is a BigPanda app for on-prem versions of Splunk, but I'm trying to integrate the SaaS based version. I couldn't find an answer to this in the docs or any other questions on here.

Second question if its not possible to configure the payload - how can I call a script from the SaaS based instance of Splunk? When I choose this as an option it prompts for a path under $splunk_home, but not sure where that is in the SaaS version.

Thanks,
Steve

Labels (1)
0 Karma
1 Solution

starcher
Influencer

You have to go through a support ticket to get support to install Splunk apps for you into a Splunk cloud instance.

View solution in original post

0 Karma

aymonfoa
Engager

I dont know if this is a bit overkill but you could write a python app to receive the wehook, and then recompose the json - I've been messing around with this today.  So you'd end up with a gateway - but a stateless one - here's some code - it's a spike, so dont take it too literally:

It creates an endpoint http://localhost:5000/splunk were you can take the use in splunk as a webhook target and take the original json payload and change its shape and post it to a discord channel (no cost etc.)

from asyncio.log import logger
from email import header
from urllib import response
import requests
import json
from loguru import logger
from flask import Flask, request, json

app = Flask(__name__)

def discord_message(url, message):
    headers = {
        "Accept": "application/json",
        "Content-Type": "application/json",
        "X-HTTP-Method-Override": "PUT"
    }
    data = {
     "content": message
    }
    payload = json.dumps(data)
    logger.info(f'Sending webhook message {message}')
    response = requests.post(url, headers=headers, data=payload)
    logger.info(f'{response}')


@app.route('/splunk',methods=['POST'])
def splunk():
    data = request.json
    logger.debug(data)
    discord_webhook = "https://discordapp.com/api/webhooks/SOME_WEBHOOK!!"
    message = (f'Attack detected see search: {data["results_link"]}')
    discord_message(discord_webhook, message)
    logger.debug(message)
    return data


def main():
  app.run(debug=True, host="0.0.0.0")


if __name__ == "__main__":
    main()

if there's a better way of doing this Id really be interested 🙂 ... hmm thinking about it an aws have some really interesting event bridge logic you could prob use and plumb it into a lambda

0 Karma

mobiuscraigr
New Member

Hi, can anyone answer the first original question of; is it possible to configure the Webhook JSON payload so that we can send our own payload and not just the default payload? Thank you. - - -CraigR

0 Karma

edikmkoyan
New Member

as @starcher said you need to check the splunkbase first and ask them to install the app if it is there. Splunkbase is a catalogue of cloud add-ons. If it is not there you need to fire another ticket, the application should go through the vetting process, and you will get a vetting report.

0 Karma

starcher
Influencer

You have to go through a support ticket to get support to install Splunk apps for you into a Splunk cloud instance.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...