I've been using AR rules within notables for about a year now and I've had quite a bit of success with it. Previously I always just used AR to pull variables from my notables via something like this:
host = helper.get_param("host")
And since host is a field in my notable, it pulls it fine. However, this does not work for risk_object or risk_object_type. Attached is just one example of a notable that I tripped but it will not pull the risk_object or risk_object_type variable. The odd part is, that it pulls the risk_message variable fine.
I've tested this with two correlation rules that I have and neither one will pull risk_object but if I alias it to something else, it pulls it fine. Any idea what this is occurring?
Update:
It looks like the variable is just being pulled out correctly and I'm not sure why. Below is the output from the AR log.
risk_object = $risk_object$ | table _time
risk_object_type = $risk_object$ spanning $sourceCount$ Risk Rules
It looks like you're using add-on builder to make the AR action. It could be something internal to the helper class in AoB. The "get_param()" method used to be purely for pulling values specified in alert_actions.conf, not from the raw events themselves.
https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/PythonHelperFunctions
To pull the actual values from the event, you could follow the sample pattern as follows:
events = helper.get_events()
for event in events:
ro = event['risk_object']
I've tried that as well and it still doesn't appear to be working.
Code:
events = helper.get_events()
for event in events:
print(event)
risk_object = event.get("risk_object")
helper.log_info("event.get(\"risk_object\")={}".format(risk_object))
risk_object_type = event.get("risk_object_type")
helper.log_info("event.get(\"risk_object_type\")={}".format(risk_object_type))
risk_message = event.get("risk_message")
helper.log_info("event.get(\"risk_message\")={}".format(risk_message))
Output:
signature="event.get("risk_object_type")=None"