Splunk integration with Incident Response

Splunk makes it simple to collect, analyze and act upon the untapped value of the big data generated by your technology infrastructure, security systems, and business applications.

Splunk has an alerting functionality. Splunk alerts can be used to monitor and respond to specific events. Alerts can be created based on search results and conditions though real time or scheduled search. Alerts trigger when search results meet specific conditions. You can set alert actions to respond to triggered alerts.

What does Incident Response offer Splunk users?

Splunk generates alerts based on search results.

Incident Response acts as a handler for these alerts and determines the right people to notify based on escalation policies, previously provided points of contact, and on-call schedules. Users are notified based on their notification preferences. Alerts are escalated until they are acknowledged or closed.

Functionality of the integration

  • Whenever the alert conditions are met in Splunk, an alert is created in Splunk.
  • Splunk sends payload based on the search criteria through webhook URL that you mention in the alert rules.
  • Incident Response handles the payload and creates an alert and assigns it to the correct team.