topic Re: Adaptive response actions wont show up in Splunk Enterprise Security

Adaptive response actions wont show up

reubenjoseph — Mon, 03 Dec 2018 01:47:34 GMT

We have created a large amount of custom Adaptive response actions that primarily consist of actions that fetch information from the internet using API calls.

All the apps were created using the latest version of Splunk add-on builder, we have over 12 TA apps at the moment some of them implement up to 4 alert actions.

The problem that we are facing is that while all of these apps are installing correctly and are visible in the Alert actions view, not all the actions are visible in the Enterprise Security drop-down list (While creating a correlation search), only a certain number of actions are visible. Our use case requires multiple adaptive response to actions be executed during notable event creation.

All of these actions (Including the missing entries) can be executed using the sendalert command and passing the parameters manually.

What could be the cause of this? Could it be an app import issue in ES?

Re: Adaptive response actions wont show up

lakshman239 — Fri, 11 Jan 2019 16:48:36 GMT

When using add-on builder, i assume you 'ticked' the box to indicate this add-on is to be used in ES as adaptive response action. Also, have you created each of the add-on as with its own name, e.g. TA-addon1, TA-addon2 etc.. so that they can be installed and have unique name [ default/app.conf]

Re: Adaptive response actions wont show up

scheng_splunk — Wed, 08 May 2019 01:49:05 GMT

There's known ES issue SOLNESS-18523 - Adaptive Response's are being truncated in the correlation search editor page which leads to incomplete results of REST endpoints being displayed.

The fix is implemented in ES version 5.3.1.

Re: Adaptive response actions wont show up

jawahardeen — Thu, 27 Jun 2019 05:08:24 GMT

In Splunk ESS 5.3.0 -

All the entries (eg: pagerduty, thehive etc.,) shown under Notable->'Recommended Actions' section in the Correlation Search's configuration are not shown in the 'Run Adaptive Response Actions' pop-up (after clicking drop-down on incidents' 'Actions' column) in 'Incident Review' page.

Is this issue also tracked under 'SOLNESS-18523'?

Re: Adaptive response actions wont show up

scheng_splunk — Thu, 27 Jun 2019 06:15:05 GMT

If you run the following two REST endpoint searches:

    | rest splunk_server=local /servicesNS/nobody/SplunkEnterpriseSecuritySuite/alerts/alert_actions | search (is_custom=1
    OR name="email" OR name="script") AND disabled!=1 | table title

and

|rest splunk_server=local /servicesNS/nobody/SplunkEnterpriseSecuritySuite/data/ui/alerts |table title

Do you see more than 30 results?

SOLNESS-18523 is due to the fact we are truncating the results at 30 hence not all the action are visible.

If you have all the entries stop showing assuming it was working previously, i would suggest first try clearing browser and splunkd cache:
https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomizationOptions#Clear_client_and_server_assets_caches_after_customization

Re: Adaptive response actions wont show up

jawaharas — Thu, 27 Jun 2019 06:26:12 GMT

Thanks for your reply. Both of above REST API returns less than 30 records.

Even after clearing browser and splunkd cache, 'Run Adaptive Response Actions' pop-up doesn't show all the 'alert action' entries.

Re: Adaptive response actions wont show up

jawaharas — Tue, 10 Sep 2019 00:41:59 GMT

Answer to my query -
Adding below config in alert_actions.conf file fix the issue.

[thehive_alert_create_alert]
param._cam = {"supports_adhoc": true}