Automatic Adaptive response action based on correlation search

ramesh_babu71 — Tue, 29 Sep 2020 16:57:41 GMT

Hello,

I'm trying out a Adaptive response action of VirusTotal which i created by following this site http://dev.splunk.com/view/addon-builder/SP-CAAAFBQ.

The following screnarios are working

Running the Adaptive response on ad-hoc mode where in I have to provide a complete url (like http://www.google.com)as parameter.
Running the Adaptive response from correlation search using Adaptive Response Actions where in I provide a complete url (like http://www.google.com) as parameter.

However on the same correlation search If I try to pass on the parameter as $url$ it fails to execute and I get failure under Notable events details.

The correlation search query is basic one which reads data from a lookup table which contains only one column called url. It returns the URL

Correlation Search query

| inputlookup demoARdata | where isnotnull(url)

Adaptive response action

Error Message in log file VirusTotal_modalert.log
2017-11-27 19:16:38,641 INFO pid=16371 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2017-11-27 19:16:38,642 ERROR pid=16371 tid=MainThread file=cim_actions.py:message:271 | sendmodaction - signature="url is a mandatory parameter, but its value is None." action_name="VirusTotal" search_name="Threat - Splunk alert $url$ - Rule" sid="scheduler_adminSplunkEnterpriseSecuritySuite_RMD5839fb9bced15ebfc_at_1511790360_253" rid="0" app="SplunkEnterpriseSecuritySuite" user="admin" action_mode="saved" action_status="failure"

Not sure where I went wrong? 😞

Re: Automatic Adaptive response action based on correlation search

starcher — Mon, 27 Nov 2017 17:15:23 GMT

You can try $result.url$

However though this will work for an event, it is not the most correct way. Inside your code, you should pull and loop through all urls for all events sent into the AR in case it is somehow used on multiple events. So really you don't want to pass url at all. You want to just pull it from each event sent to the AR and execute per result.

Re: Automatic Adaptive response action based on correlation search

ramesh_babu71 — Tue, 28 Nov 2017 07:40:16 GMT

Thanks. It worked 🙂

Re: Automatic Adaptive response action based on correlation search

ramesh_babu71 — Tue, 28 Nov 2017 07:40:52 GMT

Thanks It worked 🙂

topic Re: Automatic Adaptive response action based on correlation search in Splunk Enterprise Security

Automatic Adaptive response action based on correlation search

Re: Automatic Adaptive response action based on correlation search

Re: Automatic Adaptive response action based on correlation search

Re: Automatic Adaptive response action based on correlation search