Create an alert action

On your add-on home page, click the Create Alert Actions icon. The Alert Actions summary page opens. It's empty, so let's create an alert action.

  1. Click New Alert Action.
  2. [Alert actions for your add-on]

  3. The Create Alert Action wizard opens, prompting you to enter the properties for the new alert action:
    • In Name, type "VirusTotal".
    • In Label, type "VirusTotal".
    • In Description, enter "Query the VirusTotal API for suspicious URLs".
    • Optionally, click Upload my icon to upload an image to use for the alert action icon. Both the label and this icon will appear in Splunk Web for this alert action.
  4. Select the Support as an adaptive response action in Splunk Enterprise Security checkbox. This option indicates that this alert action should appear in the list of possible adaptive response actions in Splunk Enterprise Security.
  5. Fill out the properties for this adaptive response alert:
    • In Category, type "Information Gathering".
    • In Task, type "scan".
    • In Subject, type "endpoint".
    • In Vendor, type "VirusTotal".
    • In Product, type "VirusTotal API".
    • In Version, type "1.0".
    • Select Support as an ad-hoc action.
    • You can leave the Custom Drilldown and Sourcetype fields blank.

    [Alert action properties]

  6. Click Next.

>>  Continue to 3. Define inputs and setup parameters.