top of page

Create a Splunk Custom Alert Action

Do you have a need to create a custom alert action in Splunk, but you don't have the developer bandwidth or experience? Are you tired of maintaining a large code base of custom development, and worrying whether or not your code is secure?

Look no further, Dataflect can solve all these problems and more.

In this post we will show you how easy it is to create a Splunk custom alert action using Dataflect.

This example will be an extension of the previous post that shows how to Create an Azure Sentinel Incident from Splunk. We'll take the example, but convert it into a Splunk custom alert action.

Register an Application in Azure AD

  1. Navigate to the Azure portal.

  2. Go to Azure Active Directory > App registrations > New registration.

  3. Enter a name for the application, select the supported account types, and provide a Redirect URI (if necessary).

  4. After registration, note down the Application (client) ID.

Create a Client Secret

  1. Under your application registration, navigate to Certificates & secrets.

  2. Click New client secret, give it a description and an expiration period.

  3. Once created, copy the Value of the client secret (it won’t be visible again).

Assign Role to the Application

  1. Go to your Storage Account in the Azure portal.

  2. Under Access control (IAM), click Add > Add role assignment.

  3. Choose a role that provides read/write access to Azure Sentinel.

  4. In the Select field, type the name of the application you registered and select it.

  5. Click Save to assign the role to the application.

Add as an Allowed Domain in Dataflect

Create a credential in Dataflect with your App Registration details

Navigate to the "Action Builder" within Dataflect

Fill out the form with the information relevant to your Azure Environment, in the example below we've included tokens in the Data payload so that we can populate this in the alert action. Click Submit:

At the top of the page, expand the "Create Custom Alert Action" section. Now we're going to replace some of the data parameters with tokens, so that when an event is passed through the alert action it will be populated with the event specifics. Give your alert action a unique name, and click "Create":

Now let's create an alert that uses our alert action. We defined the tokens result.title, result.description, and result.severity, so we'll need to make sure these are included in any events that are sent through the alert action.

The search runs, the trigger conditions are met, and an incident is created in Azure Sentinel:

This is just one example, the possibilities are virtually limitless. To see the many ways Dataflect can work for you contact us at for a demo today!


Recent Posts

See All


bottom of page