Splunk® Enterprise

Alerting Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Configure webhook allow list

The webhook allow list is a list of authorized URL endpoints to which a webhook alert action can send HTTP POST requests. Before a triggered alert can send a request to a specified webhook URL, Splunk Enterprise checks to ensure that the URL is on the allow list. You can add URLs to the webhook allow list by configuring the alert_actions.conf file.

For more information on webhook alert actions, see Use a webhook alert action in the Alerting Manual.

Requirements

To configure the webhook allow list, you must have:

  • Splunk Enterprise version 9.0 or higher.
  • The admin role.
  • The edit_webhook_allow_list capability. The admin role has this capability by default.

Add URL endpoints to the webhook allow list

The webhook allow list is located in the alert_actions.conf file under the [webhook] stanza.

To add a URL to the webhook allow list, you can directly edit the alert_actions.conf file, as follows:

  1. In $SPLUNK_HOME/etc/system/local, edit alert_actions.conf. If the alert_actions.conf file does not exist, you can create it. See How to edit a configuration file.
  2. Under the [webhook] stanza, add the webhook URL definition. Each webhook allow list definition must start with the prefix "allowlist." and be of the form "allowlist.webhook = URL". URL values must be regular expression strings that match allowed URLs. For example:
    [webhook]
    allowlist.webhook1 = ^https:\/\/10\.201\..*\/
    allowlist.webhook2 = ^https:\/\/(.*\.|)company.com\/?.*\/
    
    where "webhook1", and "webhook2" are the names of the webhooks. For details on how to specify secure webhook URL values, see Specify URLs using restrictive regular expressions.
  3. In the same alert-actions.conf file and under the same [webhook] stanza, assign the enable_allowlist setting a value of "true".

    If you turn on the webhook allowlist feature but don't specify an allowlist, the Splunk platform authorizes a webhook alert action to send HTTP requests to any URL endpoint. This is a potential security risk.

For more information on [webhook] stanza settings in the alert_actions.conf file, see the alert_actions.conf.spec file located in $SPLUNK_HOME/etc/apps/alert_webhook/README.

Specify URLs using restrictive regular expressions

Splunk Enterprise does a regular expression match against URLs that appear in the allow list. If there is a string match, then an alert (HTTP POST request) is sent to the specified webhook URL. When you add a URL to the webhook allow list, define the URL as completely as possible to achieve the most restrictive match. For example, the following URLs appear in order from most restrictive to least restrictive:

  1. https///splunk.m.pipedream.net
  2. pipedream.net
  3. pipe

If you send an alert to http://orange.pipedream.net, it will be restricted (not match) in the first case. But it will not be restricted in the second case, since the regular expression pipedream.net matches.

Similarly if you send an alert to http://mywebsite.pipeline.com, it will be restricted in the first and second case. But it will not be restricted in the third case, since the regular expression pipe matches. Hence, it is best to use the first URL for a more restrictive policy.

In most cases, it is best to use https:// as the starting string of the URL.

Troubleshoot alert failures due to URL not in allow list

Upon upgrade to version 9.1, Splunk Enterprise automatically adds any URLs that are currently associated with a webhook alert action to the webhook allow list. However, after you upgrade to 9.1 or higher, you must manually add any URL associated with a webhook alert action to the webhook allow list, or that alert will fail.

To see which webhook alerts will fail because the webhook URL is missing from the allow list, run the following search:

index="_internal" source=*splunkd.log "did not match an entry" URL=* | stats values(URL) by sid

Last modified on 22 February, 2024
Alert action permissions   Access and update alerts

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters