Define the Python code for the alert action

Python code defines what the alert action will do. You can edit your Python code directly in the Code Editor window. Note that the autogenerated code shows you commented examples of how to interact with the fields you have defined.

  1. In the Code Editor panel, find the process_event function at the top of the page. Just above this function, paste the following code:
  2. def query_url(helper, url, apikey, themethod):
        import json
        import re, urllib
        from httplib2 import Http
        if not url or not apikey:
            helper.log_error('Some parameters are missing. The required are: apikey and url.')
        uri = ''
        http = helper.build_http_connection(helper.proxy, timeout=30)
        data = {
            'resource': '{}'.format(url) ,
            'apikey': '{}'.format(apikey) ,
         #No headers needed in this case
        headers = {
        #'header1' : 'header_value'
        resp_headers, content = http.request(uri, method=themethod,
                                         body=urllib.urlencode(data), headers=headers)
        if resp_headers.status not in (200, 201, 204):
            helper.log_error('Failed to query api. url={}, HTTP Error={}, content={}'.format( url, resp_headers.status, content))
            helper.log_info('Successfully queried url {}, content={}'.format(url, content))
            return content

    This code makes a REST call to query the VirusTotal API. You can use this code as a template for any other alert actions you want to build on your own.

    [Code Editor]

  3. Towards the end of the code, find the comment "# TODO:" and paste the following code below it, paying attention to maintain Python's indentation:
  4.     #query the url from setup
        helper.log_info("Alert action Virus_Total started.")
        url = helper.get_param("url")
        #query API Key alert action input
        apikey = helper.get_global_setting("apikey") 
        #call the query URL REST Endpoint and pass the url and API token
        content = query_url(helper, url, apikey,'POST')  
        #write the response returned by Virus Total API to splunk index
        helper.addevent(content, sourcetype="VirusTotal")
        helper.writeevents(index="main", host="localhost", source="VirusTotal")

    [Code Editor]

  5. Now to test the code. On the Alert Action Parameters tab, enter a URL to test, such as "".
  6. [Sample values]

  7. Click the Add-on Setup Parameters tab to see the setup page. Enter your API key as a test value, and you can also enter other settings as needed, such as proxy settings.
  8. Click Test to test the code. The Output panel displays the results. Success!
  9. [Testing]

  10. Click Save, and then click Finish.
  11. The wizard verifies that you've created the alert action.

>>  Continue to 5. Next steps.