Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Webhook to send data to internal server?

st1
Path Finder
3 weeks ago

I'm trying to set up an open-source SOAR tool and need to get the results of a correlation search from Splunk. Using a webhook would a way to do this but is there any way have the webhook not reach out externally and then come back into the internal server where the SOAR is hosted?

 

The internal server is not externally exposed so this causes issue with the Splunk search head being able to reach the server. We are running Splunk on-prem. Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

This sounds like a name resolution problem. Is your internal server on a fixed (internal) ip address? If so, use that in your webhook. If not, presumably the address is registered in a local name server? If so, configure your DNS lookup to query that server first. Alternatively, you might be able to hard-code the address resolution in your hosts file (/etc/hosts for example).

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
2 weeks ago

Hi @st1 

You can use any webhook address you want for the webhook URL from your Splunk SH - Does your SOAR tool present a webhook endpoint that you can send to? If not you will need some sort of middle-man webhook system to forward the request.

Ultimately if the endpoint you are sending to is internal then you can use this and it therefore wouldnt go externally.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

st1
Path Finder
2 weeks ago

The SOAR tool does present a webhook but the since the tool is hosted on an internal only server, our Splunk server is trying to reach the webhook by resolving the webhook address externally. Is there a way to force Splunk to only resolve that webbook address internally is what I'm wondering? Without having to use a middleman service

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

This sounds like a name resolution problem. Is your internal server on a fixed (internal) ip address? If so, use that in your webhook. If not, presumably the address is registered in a local name server? If so, configure your DNS lookup to query that server first. Alternatively, you might be able to hard-code the address resolution in your hosts file (/etc/hosts for example).

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...