Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Current User Variable within Adaptive Response

ericl42
Path Finder
‎08-22-2019 08:37 AM

We're using an adaptive response rule to create tickets for our notable events. One item that I need is the current logged in user variable that I can call and then pass to the ticketing system.

I would prefer not to modify all of my correlation rules and insert the logged in user name there and just rely on an environment variable or another form. I've read a few articles and I know I can query the API via the command below to grab the information but I hope there is an easier way.

| rest /services/authentication/current-context splunk_server=local | fields username

I've also read some forum posts stating that $env:user$ should work. All of the examples I've seen are in XML and Dashboards. When I try to call that within my adaptive response rule either via Python code or alert action parameters, it doesn't work. It just prints out $env:user$ instead of any variable.

Most of my variables today follow the $result.something$ format since they are all in the notable event, but as I mentioned above, I would prefer not to have to insert that in all of my events.

What is the easiest way to get the logged in user variable via adaptive response/Python code?

0 Karma
Reply

solarboyz1
Builder
‎08-22-2019 12:35 PM

As I understand the question, you want the adaptive response to pass the name of the user who ran the search?

Based on the following, you should be able to use job tokens in your adaptive response:
https://docs.splunk.com/Documentation/SplunkCloud/latest/AdvancedDev/ModAlertsLog

Based on the following, the property $job.delegate$ should contain the name of the user who ran the search:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Search/ViewsearchjobpropertieswiththeJobInspector...

By default, the job.delegate value will be the scheduler.

0 Karma
Reply

ericl42
Path Finder
‎08-22-2019 12:41 PM

The notable events will be ran in the background as some system account. If Bob is logged in and working on a notable event, I was the logged in user variable to be Bob so I can auto assign the external ticket I create to him by passing his username variable.

If John is logged in doing a notable event, it should be John that is the user variable.

0 Karma
Reply

solarboyz1
Builder
‎08-22-2019 01:00 PM

So, if Bob is logged into Splunk, you want all correlation searches to pass Bob as the username to the adaptive response? I don't know of any way to accomplish that.

| rest /services/authentication/current-context splunk_server=local

Should only return the context of the user who ran the search, so if you added this to the correlation search I'd be interested to see what it returns for the scheduler. Since the schedule is running its searches under its own user context.

Even if in your script example using environment variables, the environment variable would be based on the user who is running the script, it would not have information about other users on the system. Which is really the challenge .

If only one user is logged in at a time, then you could look for all users who have active logins:
| rest /services/authentication/httpauth-tokens splunk_server=local | fields userName

After excluding all the system userNames, assuming the correlation search has access to the rest endpoint, and that only one user is logged in....this would give you the username of a user logged into Splunk at the time the correlation search ran.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...