Is it possible to have an alert action be a POST to an external REST API and use macros for fields within the alert event?
Thanks
Hi @jodros,
If you are using the latest version of Splunk software, I would suggest taking a look at the webhook alert action. Here is some documentation about it:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Webhooks
Webhooks can POST information from an alert to an external web resource.
Hope this helps! Let me know if you need other suggestions.
All best,
@frobinson_splunk
George, I heard you talk at Splunk Live ATL. Were you the one with the quarantine integration on IPS for bad actors? If so, could we talk off list?
Yup that is me. That code is represented in the repo. Though I do need to redo all this in the new alert framework as mentioned by frobinson above in the comments. george@georgestarcher.com will reach me.
I saw this as a new feature with 6.3 and will test. However based on my reading it doesn't look to be very configurable or support the macros I would want: source and/or destination IP, source and/or destination port, etc.
Understandable. Depending on your use case, you can also build a custom alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.0/AdvancedDev/ModAlertsIntro
Thanks starcher. I figured it would probably come down to a python script, but I am not a very strong script writer. I will try to research a bit and see what I can find to create a script for this sort of integration.
You can use my code as a model/base. It is MIT license so you are free to use it how you wish. With the only restriction of don't blame me if you don't like it 😃
You can always make your own python code and send in the results in a table csv for it to act on. Similar to what I do here: https://github.com/georgestarcher/Splunk-Alert/tree/master/XARF Not GUI simple but works.