Building for the Splunk Platform

Prepopulate inputs in custom Splunk ES adaptive response action

dmills_inov
Engager

I am currently in the process of building out a custom application which will include an adaptive response action that uses a python script to update a system's group based on events that come into our incident review page. I have all of the logic working (Correlation search identifies an event, creates a notable, from there I can select the AR action, input this systems GUID into the text box and it will go from there).

My issue is that I cannot get the correct configuration to have this field prepopulated when the menu is brought up based on the event in the notable. The configuration files I believe need to be updated are the alert_actions.conf, alert_actions.conf.spec, savedsearches.conf.spec, and <alert_action_name>.html files.

I have found some similar posts about this but nothing that gives details about the syntax needed for each file:

https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-the-service-now-integration-work-as-...

https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Is-it-possible...

In my various config files I have the following lines:

alert_actions.conf:

param.hostname = $result.hostname$
param.connector_guid =$result.connector_guid$

alert_actions.conf.spec

param.hostname = <string>
param.cguid = <string>

savedsearches.conf.spec

param.hostname = <string>
param.cguid = <string>

<alert_action_name>.html

<form class="form-horizontal form-complex">
<div class="control-group">
	<label class="control-label" for="custom_app_hostname">Hostname <span class="required">*</span> </label>
    <div class="controls">
	<input type="text" name="action.custom_app.param.hostname" value="$hostname$" id="custom_app_hostname"/>
                <span class="help-block">Verify this is the correct hostname, if not then input from the alert.</span>
    </div>
</div>
<div class="control-group">
	<label class="control-label" for="custom_app_cguid">Connector GUID <span class="required">*</span> </label>
    <div class="controls">
	<input type="text" name="action.custom_app.param.connector_guid" value="$connector_guid$" id="custom_app_cguid"/>
    </div>
</div>
</form>

Below is the screenshot of the menu I am referring to needing to be prepopulated:Menu_Example.png

 

Labels (5)
0 Karma
1 Solution

dmills_inov
Engager

Hello, update to this I as I figured out where I was going wrong. I had the idea that when I brought up the html page for the adaptive response that all the forms would fill in with their values from the event, instead copying from the Splunk example I configured my python script to instead pull the value of the field that I wanted (https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/example....

So instead of opening up that page to input values, the page now has the field name which would be static for this process always, then when I hit run the python script can pull the value of the field from my event using this function (with field being my parameter set in my config):

parameter = result[self.configuration.get("field")]

View solution in original post

0 Karma

dmills_inov
Engager

Hello, update to this I as I figured out where I was going wrong. I had the idea that when I brought up the html page for the adaptive response that all the forms would fill in with their values from the event, instead copying from the Splunk example I configured my python script to instead pull the value of the field that I wanted (https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/example....

So instead of opening up that page to input values, the page now has the field name which would be static for this process always, then when I hit run the python script can pull the value of the field from my event using this function (with field being my parameter set in my config):

parameter = result[self.configuration.get("field")]

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...