# Splunk Webhook

In this guide, you'll configure your Splunk environment, a big data solution offering security information and event management (SIEM) to enable Splunk to forward alerts to Radiant, where they will be automatically received and triaged.

### Prerequisites

* [ ] Splunk Enterprise, Splunk Enterprise Security, or Splunk Cloud
* [ ] Admin or Power User access level

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings > Data Connectors** and click **+ Add Connector**. 
3. Search for and select the **Splunk Webhook** option and then click **Data Feeds**. 
4. Click **Credentials**. 
5. Under **Credential** **Name**, give the credential an identifiable name (e.g. `Splunk - Credentials`).
6. Under **Required Credentials**, enter a **Connector** **tag** (e.g. `webhook_connector`).
7. Click **Add Connector**.
8. Open the newly created connector. Under **Vendor** **Configuration**, copy the `Webhook URL` value. You’ll need it for the **Configure** **alert** **actions** section of this guide.
9. Click **Add** **Connector** to save the changes.

### Configure the webhook allow list

In this step, you will configure an allow list depending on whether you use Splunk Enterprise or Splunk Cloud.

#### **Splunk Enterprise**

1. In `$SPLUNK_HOME/etc/system/local`, edit the **alert\_actions.conf** file. If the **alert\_actions.conf** file does not exist, you can create it.
2. In the `[webhook]` section, add the following entry for Radiant Security:

   ```
   [webhook] 
   allowlist.webhook1 = ^https:\/\/.*blastradius.*
   enable_allowlist = true
   ```

#### **Splunk Cloud**

1. In Splunk Web, click **Settings > Server settings > Webhook allow** **list.**
2. Enter a label for the endpoint (e.g. `radiant_connector`).
3. Enter the following regex pattern for the URI:

   ```
   ^https:\/\/.*blastradius.*
   ```

### Configure alert actions

1. Navigate to **Apps > Search & Reporting > Alerts**.
2. For each rule you want to forward notifications to Radiant Security, do the following:
   * Click **Edit** > **Edit Alert**.
   * Scroll down to **Trigger Actions**.
   * Click **Add** **Actions** and select **Webhook**.
   * On the **Webhook** action, for **URL** enter the **Webhook URL** that you copied from Radiant Security’s page.
3. Click **Save**.

   <div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FF1lbvq9MUxdy1dsB30xf%2FSplunk%20Webhook_04.png?alt=media&#x26;token=2ff1c048-4280-4d99-bf34-afc2391de174" alt=""><figcaption></figcaption></figure></div>