Splunk Enterprise Security

Send ES notable events to third party API

New Member

Hello,

I am trying to send notable events to third party API. Can I use webhook to POST notable event details on third party API.

Also, please let me know if anyone has configured webhook as ES adaptive response.

Thanks,
NK

0 Karma

Champion

I don't see why not since you can use any normal alert action with in ES by running it against the notable index (using the notable macro). You can do this from search too using the Splunk's built-in alert action interface (i.e. you don't have to use ES' Adaptive Response UI if you don't want to).

BTW: this answer assumes that you want to send events via a search and not on an ad-hoc basis. I'm assuming this because I think this would be the more common use-case.

0 Karma

Splunk Employee
Splunk Employee

I suggest you use the Splunk Add-on Builder to build an Adaptive Response action that would POST to the third party API (or to the webhook)