Configure webhook allow list using Splunk Web

The webhook allow list is a list of URL endpoints to which webhook alert actions in Splunk Cloud Platform are permitted to send HTTP POST requests. Before a triggered alert can send a request to a specified webhook URL, Splunk Cloud Platform checks to ensure that the URL is on the allow list. You can add URLs to the allow list using the webhook allow list page in Splunk Web.

For more information on webhook alert actions, see Use a webhook alert action in the Alerting Manual.

Requirements

To configure the webhook allow list using Splunk Web, you must have:

• Splunk Cloud Platform version 8.2.2203 or higher.
• The sc_admin role.
• The edit_webhook_allow_list capability. sc_admin has this capability by default.

Webhook allow list is not currently supported on AWS GovCloud or FedRAMP environments.

Add or remove URL endpoints from the webhook allow list

The webhook allow list page lets you add or remove target URL endpoints for webhook alert actions. You can add or remove multiple URL endpoints in a single page update. You must click save for any changes that you make to the page to propagate through the system.

Specify URLs using restrictive regular expressions

Splunk Cloud Platform does a regular expression match against URLs in the allow list. If there is a string match, then an alert (HTTP POST request) is sent to the specified webhook URL. When adding a URL to the webhook allow list, make sure to define the URL as completely as possible to achieve the most restrictive match. For example, the following URLs appear in order from most restrictive to least restrictive:

1. https///splunk.m.pipedream.net
2. pipedream.net
3. pipe

If you send an alert to http://orange.pipedream.net, it will be restricted (not match) in the first case. But it will not be restricted in the second case, since the regular expression pipedream.net matches.

Similarly if you send an alert to http://mywebsite.pipeline.com, it will be restricted in the first and second case. But it will not be restricted in the third case, since the regular expression pipe matches. Hence, it is best to use the first URL for a more restrictive policy.

In most cases, it is best to use https:// as the starting string of the URL.

Add URL endpoints to the webhook allow list

To add a URL endpoint to the webhook allow list using Splunk Web:

1. In Splunk Web, click Settings > Server settings > Webhook allow list.
2. Enter a name for the endpoint. The name is just a label for the corresponding URL. You cannot use the name field in the search and reporting app to send an alert .
3. Specify the endpoint URL value. See Specify URLs using restrictive regular expressions.
4. Click Save
   This saves all changes to the webhook allow list page since the last page update, including any URLs that you have added or removed.

Remove URL endpoints from the webhook allow list

1. In Splunk Web, click Settings > Server settings > Webhook allow list.
2. Click X to delete the URL endpoint.
3. Click Save.
   This saves all changes to the webhook allow list page since the last page update, including any URLs that you have added or removed.

Check alert failures due to URL not in allow list

Upon upgrade to version 8.2.2203, Splunk Cloud Platform automatically adds all URLs currently associated with a webhook alert action to the webhook allow list. However, after upgrade to 8.2.2203 or higher, you must manually add any URL associated with a webhook alert action to the webhook allow list, or that alert will fail.

To see which webhook alerts will fail because the webhook URL is missing from the allow list, run the following search:

index="_internal" source=*splunkd.log "did not match an entry" URL=* | stats values(URL) by sid