Splunk comes with built-in support for webhooks on their alerts. To configure a webhook on an alert in Splunk, follow the instructions below.

  1. You can configure the webhook action when creating a new alert or editing the actions of an existing alert:

    • To create a new alert:

      • From the Search page in the Search and Reporting app, select Save As > Alert.

      • Enter the alert details, and configure triggering and throttling as needed.

    • To edit an existing alert:

      • From the Alerts page in the Search and Reporting app, select Edit > Edit actions for an existing alert.

  2. From the Add Actions menu, select Webhook.

  3. Enter the URL for the webhook. The URL will differ depending on whether you use On-Premise Orchestrator or the Azure-based Orchestrator.

    • For On-Premise setup, the URL format is:

      {Orchestrator Site Path}/api/SIEM/splunk/alert. (For example, this could be http://localhost:5555/api/SIEM/splunk/alert).

    • For the Azure-based setup, the URL format is:

      https://orchestrationapi.azurewebsites.net/api/event/splunk/alert?code={api-key}&orchid={id-of-orchestrator-from-portal}&orgId={organisation-id-from-portal}

  4. After providing the URL, click Save. You'll need to follow this process for each alert rule you create.