topic Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed in Splunk Enterprise Security

Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

irsysintegratio — Tue, 29 Sep 2020 16:39:17 GMT

Hello,

We have an AR Action, and it works fine with correlation search. But when we try to invoke it as adhoc action, it failed with the following error message:
ActiveResponseException: Invalid parameter for adhoc modular action.

Now we use sendalert command in our alert_actions.conf, so according to the Splunk document, it should support adhoc invocation. The command we use in our alert_actions.conf follows the Splunk example for adaptive response:
command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" param.action_name=$action_name$ | stats count

None of the log files in $SPLUNK_HOME/var/log/splunk folder provides useful information. How can we debug this please?

Thanks!

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

irsysintegratio — Tue, 29 Sep 2020 16:39:46 GMT

I am going to answer my question. 🙂

From help from Splunk ES support, it turns out each field (parameter) in the alert UI must be specified in the alert_actions.conf (and defined in the alert_actions.conf.spec). This is not required for invocation from correlation search.

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

jamesbrock — Tue, 29 Sep 2020 17:42:44 GMT

did you have to break out the command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" into individual fields and add each to the spec file ?

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

hazekamp — Tue, 29 Sep 2020 18:01:17 GMT

No, you do not have to specify things like action_name, results_file, results_link, etc as these are internal to sendalert. This error commonly occurs when you define parameters in the action HTML that aren't represented in alert_actions.conf.spec and alert_actions.conf...

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

lakshman239 — Wed, 21 Feb 2018 11:17:29 GMT

When we develop a TA using add-on builder and then update the alert actions, as part of packaging/merging, the add-on builder doesn't merge the local/alert_actions.conf to default, causing this issue. possibly its a bug in add-on builder?

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

hazekamp — Wed, 21 Feb 2018 16:57:00 GMT

I'm not exactly sure what we're referring to with respect to "add-on builder doesn't merge the local/alert_actions.conf" to default. When you install the app, Splunk's API will dynamically layer local configurations onto the defaults, so while the best practice would be to ship everything in default, this should not be the source of your breakage.

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

kchamplin_splun — Wed, 21 Feb 2018 17:00:59 GMT

AoB will merge those BTW - you need to export it as an SPL package - which is the last option in the project flow in AoB.

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

lakshman239 — Wed, 21 Feb 2018 17:06:29 GMT

unfortunately, the AOB didn't package them on to default, overwritting the old version of alert_actions.conf.

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

lakshman239 — Fri, 26 Oct 2018 10:49:48 GMT

Kyle - I did validate the package, exported the spl file and looked at the contents of the alert_action.conf and it was different from the contents in the local folder. So, merge didn't happen. I used AOB 2.2.0

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

lakshman239 — Fri, 26 Oct 2018 10:54:07 GMT

So, my invocation via correlation search worked, but not via adhoc means. After i merged them manually (as per spec), both worked.

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

jawaharas — Fri, 06 Sep 2019 06:59:46 GMT

A picture speaks a thousand words - https://prnt.sc/

Just create fields in alert_actions.conf corresponding to each field in the 'Adaptive Response Action' page.

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

simon_lavigne — Mon, 09 Sep 2019 22:50:45 GMT

@jawaharas can you upload the screenshot again? Getting a 403.

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

jawaharas — Mon, 09 Sep 2019 23:50:42 GMT

Here you go - http://prnt.sc/p40i0c

Just create fields in alert_actions.conf corresponding to each field in the 'Adaptive Response Action' page.

Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

simon_lavigne — Tue, 10 Sep 2019 01:07:25 GMT

Thanks @jawaharas, just so happens I'm fault finding the TheHive add-on too