Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adaptive Response Not Pulling Variables

ericl42
Path Finder
‎12-17-2019 01:23 PM

I've been using AR rules within notables for about a year now and I've had quite a bit of success with it. Previously I always just used AR to pull variables from my notables via something like this:

host = helper.get_param("host")

And since host is a field in my notable, it pulls it fine. However, this does not work for risk_object or risk_object_type. Attached is just one example of a notable that I tripped but it will not pull the risk_object or risk_object_type variable. The odd part is, that it pulls the risk_message variable fine.

I've tested this with two correlation rules that I have and neither one will pull risk_object but if I alias it to something else, it pulls it fine. Any idea what this is occurring?

alt text

Update:
It looks like the variable is just being pulled out correctly and I'm not sure why. Below is the output from the AR log.

risk_object = $risk_object$ | table _time   
risk_object_type = $risk_object$ spanning $sourceCount$ Risk Rules
risk-object-notable.png
Preview file
60 KB
0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎12-18-2019 09:22 AM

It looks like you're using add-on builder to make the AR action. It could be something internal to the helper class in AoB. The "get_param()" method used to be purely for pulling values specified in alert_actions.conf, not from the raw events themselves.
https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/PythonHelperFunctions

To pull the actual values from the event, you could follow the sample pattern as follows:
events = helper.get_events()
for event in events:
ro = event['risk_object']

0 Karma
Reply

ericl42
Path Finder
‎12-18-2019 09:43 AM

I've tried that as well and it still doesn't appear to be working.

Code:

events = helper.get_events()
for event in events:
    print(event)
    risk_object = event.get("risk_object")
    helper.log_info("event.get(\"risk_object\")={}".format(risk_object))
    risk_object_type = event.get("risk_object_type")
    helper.log_info("event.get(\"risk_object_type\")={}".format(risk_object_type))
    risk_message = event.get("risk_message")
    helper.log_info("event.get(\"risk_message\")={}".format(risk_message))

Output:
signature="event.get("risk_object_type")=None"

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top