Splunk Integration
Splunk comes with built-in support for webhooks on their alerts. To configure a webhook on an alert in Splunk, follow the instructions below.
You can configure the webhook action when creating a new alert or editing the actions of an existing alert:
To create a new alert:
From the Search page in the Search and Reporting app, select Save As > Alert.
Enter the alert details, and configure triggering and throttling as needed.
To edit an existing alert:
From the Alerts page in the Search and Reporting app, select Edit > Edit actions for an existing alert.
From the Add Actions menu, select Webhook.
Enter the URL for the webhook. The URL will differ depending on whether you use On-Premise Orchestrator or the Azure-based Orchestrator.
For On-Premise setup, the URL format is:
{Orchestrator Site Path}/api/SIEM/splunk/alert. (For example, this could be http://localhost:5555/api/SIEM/splunk/alert).
For the Azure-based setup, the URL format is:
https://orchestrationapi.azurewebsites.net/api/event/splunk/alert?code={api-key}&orchid={id-of-orchestrator-from-portal}&orgId={organisation-id-from-portal}
After providing the URL, click Save. You'll need to follow this process for each alert rule you create.