Alerting

Is it possible to have an alert action be a POST to an external REST API and use macros for fields within the alert event?

jodros
Builder

Is it possible to have an alert action be a POST to an external REST API and use macros for fields within the alert event?

Thanks

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @jodros,
If you are using the latest version of Splunk software, I would suggest taking a look at the webhook alert action. Here is some documentation about it:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Webhooks

Webhooks can POST information from an alert to an external web resource.

Hope this helps! Let me know if you need other suggestions.
All best,
@frobinson_splunk

jodros
Builder

George, I heard you talk at Splunk Live ATL. Were you the one with the quarantine integration on IPS for bad actors? If so, could we talk off list?

0 Karma

starcher
SplunkTrust
SplunkTrust

Yup that is me. That code is represented in the repo. Though I do need to redo all this in the new alert framework as mentioned by frobinson above in the comments. george@georgestarcher.com will reach me.

0 Karma

jodros
Builder

I saw this as a new feature with 6.3 and will test. However based on my reading it doesn't look to be very configurable or support the macros I would want: source and/or destination IP, source and/or destination port, etc.

frobinson_splun
Splunk Employee
Splunk Employee

Understandable. Depending on your use case, you can also build a custom alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.0/AdvancedDev/ModAlertsIntro

0 Karma

jodros
Builder

Thanks starcher. I figured it would probably come down to a python script, but I am not a very strong script writer. I will try to research a bit and see what I can find to create a script for this sort of integration.

0 Karma

starcher
SplunkTrust
SplunkTrust

You can use my code as a model/base. It is MIT license so you are free to use it how you wish. With the only restriction of don't blame me if you don't like it 😃

0 Karma

starcher
SplunkTrust
SplunkTrust

You can always make your own python code and send in the results in a table csv for it to act on. Similar to what I do here: https://github.com/georgestarcher/Splunk-Alert/tree/master/XARF Not GUI simple but works.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...