Splunk Enterprise Security

Adaptive Response Not Pulling Variables

ericl42
Path Finder

I've been using AR rules within notables for about a year now and I've had quite a bit of success with it. Previously I always just used AR to pull variables from my notables via something like this:

host = helper.get_param("host")

And since host is a field in my notable, it pulls it fine. However, this does not work for risk_object or risk_object_type. Attached is just one example of a notable that I tripped but it will not pull the risk_object or risk_object_type variable. The odd part is, that it pulls the risk_message variable fine.

I've tested this with two correlation rules that I have and neither one will pull risk_object but if I alias it to something else, it pulls it fine. Any idea what this is occurring?

alt text

Update:
It looks like the variable is just being pulled out correctly and I'm not sure why. Below is the output from the AR log.

risk_object = $risk_object$ | table _time   
risk_object_type = $risk_object$ spanning $sourceCount$ Risk Rules
0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

It looks like you're using add-on builder to make the AR action. It could be something internal to the helper class in AoB. The "get_param()" method used to be purely for pulling values specified in alert_actions.conf, not from the raw events themselves.
https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/PythonHelperFunctions

To pull the actual values from the event, you could follow the sample pattern as follows:
events = helper.get_events()
for event in events:
ro = event['risk_object']

0 Karma

ericl42
Path Finder

I've tried that as well and it still doesn't appear to be working.

Code:

events = helper.get_events()
for event in events:
    print(event)
    risk_object = event.get("risk_object")
    helper.log_info("event.get(\"risk_object\")={}".format(risk_object))
    risk_object_type = event.get("risk_object_type")
    helper.log_info("event.get(\"risk_object_type\")={}".format(risk_object_type))
    risk_message = event.get("risk_message")
    helper.log_info("event.get(\"risk_message\")={}".format(risk_message))

Output:
signature="event.get("risk_object_type")=None"

0 Karma