Splunk integration with Incident Response

Splunk makes it simple to collect, analyze and act upon the untapped value of the big data generated by your technology infrastructure, security systems, and business applications.

Splunk has an alerting functionality. Splunk alerts can be used to monitor and respond to specific events. Alerts can be created based on search results and conditions though real time or scheduled search. Alerts trigger when search results meet specific conditions. You can set alert actions to respond to triggered alerts.

What does Incident Response offer Splunk users?

Splunk generates alerts based on search results. Incident Response acts as a dispatcher for the alerts generated by Splunk. Incident Response determines the right people to notify based on escalation polices and on-call schedules, notifies users via email, text messages (SMS), phone calls, and iPhone & Android mobile push notifications, and escalates alerts until the alert is acknowledged or closed.

Functionality of the integration

  • Whenever the alert conditions are met in Splunk, an alert is created in Splunk.
  • Splunk sends payload based on the search criteria through webhook URL that you mention in the alert rules.
  • Incident Response handles the payload and creates an alert and assigns it to the correct team.