Configure the webhook in Splunk Security

Configure webhook endpoints so that Splunk Security can use the endpoint to communicate with Incident Response.

Before you begin

Role required: Responder, Manager, or Administrator

About this task

Note: While this integration with a third-party product is supported, the documentation here is based upon information provided by that third-party. More current information about the operation of that third-party’s system may be available from them directly.


  1. Log in to Splunk Enterprise.
  2. From the left navigation menu, select Enterprise Security.
  3. On the Splunk light bar, click Search and then from the menu, select Search.
  4. Search for a query and then click search.
  5. Click the Save As tab and then click Alerts.
    The Save As Alert form opens.
  6. Perform the following steps:
    1. In the Title field, enter the name of the alert.
    2. Under Alert type, select whether alert search timing should be scheduled or real-time.

      For more information on search timing, see alert type and triggering scenarios.

    3. Under Trigger Actions, select Webhook.
    4. In the URL field, enter the webhook URL copied from LIR.

      For information on webhook, see Create a webhook.

    5. Click Save.