Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Webhook to send data to internal server?

st1
Path Finder
2 weeks ago

I'm trying to set up an open-source SOAR tool and need to get the results of a correlation search from Splunk. Using a webhook would a way to do this but is there any way have the webhook not reach out externally and then come back into the internal server where the SOAR is hosted?

 

The internal server is not externally exposed so this causes issue with the Splunk search head being able to reach the server. We are running Splunk on-prem. Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
a week ago

This sounds like a name resolution problem. Is your internal server on a fixed (internal) ip address? If so, use that in your webhook. If not, presumably the address is registered in a local name server? If so, configure your DNS lookup to query that server first. Alternatively, you might be able to hard-code the address resolution in your hosts file (/etc/hosts for example).

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
2 weeks ago

Hi @st1 

You can use any webhook address you want for the webhook URL from your Splunk SH - Does your SOAR tool present a webhook endpoint that you can send to? If not you will need some sort of middle-man webhook system to forward the request.

Ultimately if the endpoint you are sending to is internal then you can use this and it therefore wouldnt go externally.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

st1
Path Finder
a week ago

The SOAR tool does present a webhook but the since the tool is hosted on an internal only server, our Splunk server is trying to reach the webhook by resolving the webhook address externally. Is there a way to force Splunk to only resolve that webbook address internally is what I'm wondering? Without having to use a middleman service

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
a week ago

This sounds like a name resolution problem. Is your internal server on a fixed (internal) ip address? If so, use that in your webhook. If not, presumably the address is registered in a local name server? If so, configure your DNS lookup to query that server first. Alternatively, you might be able to hard-code the address resolution in your hosts file (/etc/hosts for example).

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...