Splunk Enterprise Security

How to pass field value to custom alert action?

wlight600
Engager

Hi!
I'm creating custom alert action. I can use my alert action in save alert and Correlation search. But I meet a trouble.
When I type my string to alert action, it worked and my script received string. But I type variable string like: $src_ip$ is evil. After run this alert action, I found that I can received Notable events, but src_ip field is null.
How to pass Notable event field values to alert action?

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please try $result.src_ip$ instead of $src_ip$?

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please try $result.src_ip$ instead of $src_ip$?

wlight600
Engager

You mean, I pass value when creating correlation search, I should use $result.src_ip$? Whether need I write some configuration in any conf ?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If you are using your custom alert action directly in your search with sendalert command then yes you can pass $result.src_ip$ to your custom alert action. Have a look at https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsLog

0 Karma

wlight600
Engager

I meet another trouble. When I want to use alert action in Incident Review, I can't find this action in Run Adaptive Response Actions. How do I config to invoke aler action in Incident Review. Thank you very much!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Have a look at this doc https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps , you need to configure ES so that it will import config from your custom alert actions app.

0 Karma

wlight600
Engager

I had already import custom app at first. It seems that not work!

0 Karma

lakshman239
SplunkTrust
SplunkTrust

When you create custom alert action, you need to tick 'support' ad-hoc invocations [ you can see this when you build the add-on using Add-on builder], so the alert actions can work in ES framework and will be available in the list of adaptive response. http://dev.splunk.com/view/addon-builder/SP-CAAAFBS

0 Karma

wlight600
Engager

I create it with manual, so I want to know manual to do !

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

What's your custom app name which contain alert action config ? and can you please provide ES app_imports_update://update_es configuration ?

0 Karma

wlight600
Engager

I set it in App Import Updates in ES.
Application Regular Expression: (appsbrowser)|(phantom)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)|(send_notify)|(sao)
Last two name are my app name,is this set right?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

That looks good, have you updated it via modifying conf file directly OR have you updated in Splunk ES Web ? If you updated it via modifying conf file directly then you need to restart splunk.

EDIT: You need to restart Splunk no matter how you modified it. See point 6 and 5 on this doc https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps#Import_add-ons_with_a_differ...

0 Karma

wlight600
Engager

Uh,official doc was misleaded me. I set up param.cam in alert_actions.conf. It's appeared! Thank you for helping me! ^^

0 Karma

wlight600
Engager

Uh, your first answer is right. I just write html and restart splunk, no need to moidfy configuration.Thnx!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...