Hi @jagan_jijo Both ES and ITSI have their own use-cases and strengths. They can also exist together in the same Splunk deployment but ultimately ITSI is used for IT Operations Monitoring (e.g. ale...
See more...
Hi @jagan_jijo Both ES and ITSI have their own use-cases and strengths. They can also exist together in the same Splunk deployment but ultimately ITSI is used for IT Operations Monitoring (e.g. alerting based on availability of services, Key Performance Indicators etc - whereas ES is all about Security Monitoring. If you're looking at pulling ES incidents then there is an additional set of APIs that you can make use of (see https://docs.splunk.com/Documentation/ES/8.0.40/API/AboutSplunkESAPI) What is the system you are looking to integrate with here? The Better Webhooks is just a free app which can be installed within your Splunk environment, just like a custom webhook app would, however there isnt anything stopping you from building your own Splunk alert action custom app to do the same thing if you dont want to use the community-built app. https://dev.splunk.com/enterprise/docs/devtools/customalertactions/ is a good starting point for building a custom alert action - which has a Slack alert example that you might be able to modify. Alternatively you could download the Better Webhook app to see how that is coded and build as required. Just for clarity, the Better Webhook app would be as "native" within Splunk as a custom webhook app would be, both would tie in to the alert action framework, it isnt something you have to host separately. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing