All Apps and Add-ons

TA-threatconnect invalid keys in in alert_actions.conf; Splunk ES Adaptive Response Actions menu malfunction

Observer

How can we resolve some errors when restarting splunkd on our Splunk ES search-head?:
Invalid key in stanza [sendtoplaybook] in /opt/splunk/etc/apps/TA-threatconnect/default/alert_actions.conf, line 6: param.playbook_endpoint (value: ).
Invalid key in stanza [sendtoplaybook] in /opt/splunk/etc/apps/TA-threatconnect/default/alert_actions.conf, line 7: param.fields (value: ).
Value in stanza [sourcetype=sendtoplaybook:results] in /opt/splunk/etc/apps/TA-threatconnect/default/tags.conf, line 1 not URL encoded: sourcetype = sendtoplaybook:results

TA-threatconnect/default/alert_actions.conf is causing the Adaptive Response Actions menu to malfunction on our Splunk ES search-head.
To recreate: Open Enterprise Security -> Configure -> Content Management -> Select a Correlation Search to Edit -> Scroll to bottom of page.
Issues: Under "Adaptive Response Actions", selections " Risk Analysis" and "Notable" are missing. Selecting "+ Add New Response Action" opens an empty selection menu.

Removing TA-threatconnect/default/alert_actions.conf mitigates the splunk startup errors and the Adaptive Response Actions menu malfunction.

Any suggestions and/or fixes are welcome.

0 Karma

SplunkTrust
SplunkTrust

It looks like those errors/warning messages are related to missing .spec files, Do you have any .spec files in /opt/splunk/etc/apps/TA-threatconnect/README/ directory ?

I don't have any clue why it is causing Menu malfunction when trying to select other Adaptive Response actions.

0 Karma

New Member

This issue with the invalid key warning on startup was addressed by adding the appropriate spec files in the latest release of the App (version 3.1.4). An upgrade of the App should remove these warnings.

The missing menu items would require some more research. Is the same issue observed when using the ad-hoc AR actions?

0 Karma

Observer

Thanks for the prompt response. I see that 3.1.4 was released today. I installed it and observed no errors with alert_actions.conf upon deployment. FWIW, I see this message in splunkd.log:

03-27-2019 16:09:49.509 -0400 INFO DeployedApplication - Installing app=TA-threatconnect to='/opt/splunk/etc/apps/TA-threatconnect'
03-27-2019 16:09:49.579 -0400 ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/TA-threatconnect/metadata/default.meta: No such file or directory
03-27-2019 16:09:49.956 -0400 INFO ApplicationManager - Detected app modification: TA-threatconnect

However, the file default/data/ui/alerts/sendtoplaybook.html is still causing issues with the AR actions part of the Edit Correlation Search panel. When default/data/ui/alerts/sendtoplaybook.html is removed, AR actions selection operates normally.

.> Is the same issue observed when using the ad-hoc AR actions?
Forgive me - I'm not familiar with the ES terminology yet.

When sendtoplaybook.html is in place, the "Add New Response Action" selection appears, but selecting/expanding it results in an empty selection list. i.e., this list of actions does not appear:
Send email
Run a script
ESCU-Contextualize
ESCU-Investigate
Stream Capture
Nbtstat
Nslookup
Create Splunk messages
Ping
Add Threat Intelligence

In addition, "Risk Analysis" and "Notable" selections do not appear, so cannot be selected to open up the respective configuration sub-menus.

Does this answer the question about "ad-hoc AR actions"?

0 Karma

New Member

After updating to the latest Splunk and ES we see the same issue. We will release a 3.1.5 version to address the issue.

0 Karma

Observer

I just installed the 3.1.5 version and verified that the previously observed issue with Splunk ES Adaptive Response Actions is resolved. Thank you for the prompt response to our request for help!

0 Karma