Supporting Add-on for Demisto. This application allows a user to create incident into Demisto from Splunk using custom alert action.
- Splunk version 6.3 >=
- This application should be installed on Search Head.
- Standard Splunk configuration of Search Head.
- Same as on-premise setup.
-
This app can be installed through UI using "Manage Apps" or from the command line using the following command: $SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/TA-Demisto.spl/
-
User can directly extract SPL file into $SPLUNK_HOME/etc/apps/ folder.
- The user must complete the setup of the application. In order to create incident into Demisto, a user needs to provide following four parameters: 1)Demisto URL: This is mandatory parameter Url /IP address of the Demisto 2)Demisto Port: This is an optional parameter. The user must define it if running Demisto on any other port than the default (443). 3)Allow Self Signed Certificate: User should select this if using Self Signed certificate 4) Authentication key: This is a mandatory parameter. This parameter is used for authorization with Demsito. In order to generate this parameter, a user should log in to Demisto and then click on Settings --> Integration --> API Keys.
- This application will add custom alert action named Demisto Custom Alert Action. The user can configure this action on saved search. The user can pass following parameters to Demisto:
- Name: Name of the alert.
- Occurred Time: Time when alert was triggered
- Type: Type in demisto.
- Labels: Comma separated values to be put in the label field.
- Severity: Severity of the alert
- Details: Details field in the incident.
- Environment variable SPLUNK_HOME must be set
- To troubleshoot Demisto application, check $SPLUNK_HOME/var/log/splunk/demisto.log file.
Customers can file issues by logging into Demisto support portal (https://support.demisto.com). Documentation on our support process is available in the support portal.