I have a scenario which I can explain with an example. I am implementing a 3rd party service which takes action based on notable events in Splunk Enterprise Security.
For example, every time there is a new "Geographically Improbable Access Detected" notable event, I want to extract the user details and process them.
What is the best way to get notified by Splunk?
(1) Is it that I run a query remotely using Splunk REST API regularly for the relevant notable events?
(2) Is there a way Splunk can invoke my REST end point every time there is a new relevant event?
(3) Splunk alerts + webhook? (this way, I think I can get only first matching relevant event instead of all).
Thanks a ton in advance
... View more