How can we resolve some errors when restarting splunkd on our Splunk ES search-head?:
Invalid key in stanza [sendtoplaybook] in /opt/splunk/etc/apps/TA-threatconnect/default/alert_actions.conf, line 6: param.playbook_endpoint (value: ).
Invalid key in stanza [sendtoplaybook] in /opt/splunk/etc/apps/TA-threatconnect/default/alert_actions.conf, line 7: param.fields (value: ).
Value in stanza [sourcetype=sendtoplaybook:results] in /opt/splunk/etc/apps/TA-threatconnect/default/tags.conf, line 1 not URL encoded: sourcetype = sendtoplaybook:results
TA-threatconnect/default/alert_actions.conf is causing the Adaptive Response Actions menu to malfunction on our Splunk ES search-head.
To recreate: Open Enterprise Security -> Configure -> Content Management -> Select a Correlation Search to Edit -> Scroll to bottom of page.
Issues: Under "Adaptive Response Actions", selections " Risk Analysis" and "Notable" are missing. Selecting "+ Add New Response Action" opens an empty selection menu.
Removing TA-threatconnect/default/alert_actions.conf mitigates the splunk startup errors and the Adaptive Response Actions menu malfunction.
Any suggestions and/or fixes are welcome.
It looks like those errors/warning messages are related to missing .spec
files, Do you have any .spec
files in /opt/splunk/etc/apps/TA-threatconnect/README/
directory ?
I don't have any clue why it is causing Menu malfunction when trying to select other Adaptive Response actions.
This issue with the invalid key warning on startup was addressed by adding the appropriate spec files in the latest release of the App (version 3.1.4). An upgrade of the App should remove these warnings.
The missing menu items would require some more research. Is the same issue observed when using the ad-hoc AR actions?
Thanks for the prompt response. I see that 3.1.4 was released today. I installed it and observed no errors with alert_actions.conf upon deployment. FWIW, I see this message in splunkd.log:
03-27-2019 16:09:49.509 -0400 INFO DeployedApplication - Installing app=TA-threatconnect to='/opt/splunk/etc/apps/TA-threatconnect'
03-27-2019 16:09:49.579 -0400 ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/TA-threatconnect/metadata/default.meta: No such file or directory
03-27-2019 16:09:49.956 -0400 INFO ApplicationManager - Detected app modification: TA-threatconnect
However, the file default/data/ui/alerts/sendtoplaybook.html is still causing issues with the AR actions part of the Edit Correlation Search panel. When default/data/ui/alerts/sendtoplaybook.html is removed, AR actions selection operates normally.
.> Is the same issue observed when using the ad-hoc AR actions?
Forgive me - I'm not familiar with the ES terminology yet.
When sendtoplaybook.html is in place, the "Add New Response Action" selection appears, but selecting/expanding it results in an empty selection list. i.e., this list of actions does not appear:
Send email
Run a script
ESCU-Contextualize
ESCU-Investigate
Stream Capture
Nbtstat
Nslookup
Create Splunk messages
Ping
Add Threat Intelligence
In addition, "Risk Analysis" and "Notable" selections do not appear, so cannot be selected to open up the respective configuration sub-menus.
Does this answer the question about "ad-hoc AR actions"?
After updating to the latest Splunk and ES we see the same issue. We will release a 3.1.5 version to address the issue.
I just installed the 3.1.5 version and verified that the previously observed issue with Splunk ES Adaptive Response Actions is resolved. Thank you for the prompt response to our request for help!