Walkthrough: Create an ES adaptive response action

In this walkthrough, we'll create an add-on with an adaptive response action for Splunk Enterprise Security (ES).

The Splunk Add-on Builder lets you create alert actions, including adaptive response actions, a new feature of ES. We'll create an adaptive response action that allows you to query the VirusTotal API for suspicious URLs. The adaptive response action will take any URL as input and then return a security report on that URL and write it to an index in Splunk Enterprise.

[Alert actions in Splunk Web]

Prerequisite  To use this walkthrough, you'll need to get a key for the VirusTotal API. Go to the VirusTotal signup page to create an account. Once you activate your account and log in, click your user name (upper right corner of the page), then select My API key. Copy this API key, which you'll need later.

Let's begin: continue to 1. Create an add-on.