https://community.splunk.com/t5/Splunk-Enterprise-Security/Adaptive-Response-Not-Pulling-Variables/m-p/466792#M6987 <P>I've tried that as well and it still doesn't appear to be working.</P> <P>Code:</P> <PRE><CODE>events = helper.get_events() for event in events: print(event) risk_object = event.get("risk_object") helper.log_info("event.get(\"risk_object\")={}".format(risk_object)) risk_object_type = event.get("risk_object_type") helper.log_info("event.get(\"risk_object_type\")={}".format(risk_object_type)) risk_message = event.get("risk_message") helper.log_info("event.get(\"risk_message\")={}".format(risk_message)) </CODE></PRE> <P>Output:<BR /> signature="event.get("risk_object_type")=None"</P> Wed, 30 Sep 2020 03:27:39 GMT ericl42 2020-09-30T03:27:39Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Adaptive-Response-Not-Pulling-Variables/m-p/466790#M6985 <P>I've been using AR rules within notables for about a year now and I've had quite a bit of success with it. Previously I always just used AR to pull variables from my notables via something like this:</P> <P>host = helper.get_param("host")</P> <P>And since host is a field in my notable, it pulls it fine. However, this does not work for risk_object or risk_object_type. Attached is just one example of a notable that I tripped but it will not pull the risk_object or risk_object_type variable. The odd part is, that it pulls the risk_message variable fine.</P> <P>I've tested this with two correlation rules that I have and neither one will pull risk_object but if I alias it to something else, it pulls it fine. Any idea what this is occurring?</P> <P><IMG src="https://community.splunk.com/storage/temp/277823-risk-object-notable.png" alt="alt text" /></P> <P><STRONG>Update:</STRONG><BR /> It looks like the variable is just being pulled out correctly and I'm not sure why. Below is the output from the AR log.</P> <PRE><CODE>risk_object = $risk_object$ | table _time risk_object_type = $risk_object$ spanning $sourceCount$ Risk Rules </CODE></PRE> Wed, 30 Sep 2020 03:23:19 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Adaptive-Response-Not-Pulling-Variables/m-p/466790#M6985 ericl42 2020-09-30T03:23:19Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Adaptive-Response-Not-Pulling-Variables/m-p/466791#M6986 <P>It looks like you're using add-on builder to make the AR action. It could be something internal to the helper class in AoB. The "get_param()" method used to be purely for pulling values specified in alert_actions.conf, not from the raw events themselves. <BR /> <A href="https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/PythonHelperFunctions" target="_blank">https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/PythonHelperFunctions</A></P> <P>To pull the actual values from the event, you could follow the sample pattern as follows:<BR /> events = helper.get_events()<BR /> for event in events:<BR /> ro = event['risk_object']</P> Wed, 30 Sep 2020 03:24:43 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Adaptive-Response-Not-Pulling-Variables/m-p/466791#M6986 kchamplin_splun 2020-09-30T03:24:43Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Adaptive-Response-Not-Pulling-Variables/m-p/466792#M6987 <P>I've tried that as well and it still doesn't appear to be working.</P> <P>Code:</P> <PRE><CODE>events = helper.get_events() for event in events: print(event) risk_object = event.get("risk_object") helper.log_info("event.get(\"risk_object\")={}".format(risk_object)) risk_object_type = event.get("risk_object_type") helper.log_info("event.get(\"risk_object_type\")={}".format(risk_object_type)) risk_message = event.get("risk_message") helper.log_info("event.get(\"risk_message\")={}".format(risk_message)) </CODE></PRE> <P>Output:<BR /> signature="event.get("risk_object_type")=None"</P> Wed, 30 Sep 2020 03:27:39 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Adaptive-Response-Not-Pulling-Variables/m-p/466792#M6987 ericl42 2020-09-30T03:27:39Z