Splunk Enterprise Security

How to pass field value to custom alert action?

wlight600
Engager

Hi!
I'm creating custom alert action. I can use my alert action in save alert and Correlation search. But I meet a trouble.
When I type my string to alert action, it worked and my script received string. But I type variable string like: $src_ip$ is evil. After run this alert action, I found that I can received Notable events, but src_ip field is null.
How to pass Notable event field values to alert action?

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please try $result.src_ip$ instead of $src_ip$?

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please try $result.src_ip$ instead of $src_ip$?

View solution in original post

wlight600
Engager

You mean, I pass value when creating correlation search, I should use $result.src_ip$? Whether need I write some configuration in any conf ?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If you are using your custom alert action directly in your search with sendalert command then yes you can pass $result.src_ip$ to your custom alert action. Have a look at https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsLog

0 Karma

wlight600
Engager

I meet another trouble. When I want to use alert action in Incident Review, I can't find this action in Run Adaptive Response Actions. How do I config to invoke aler action in Incident Review. Thank you very much!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Have a look at this doc https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps , you need to configure ES so that it will import config from your custom alert actions app.

0 Karma

wlight600
Engager

I had already import custom app at first. It seems that not work!

0 Karma

lakshman239
SplunkTrust
SplunkTrust

When you create custom alert action, you need to tick 'support' ad-hoc invocations [ you can see this when you build the add-on using Add-on builder], so the alert actions can work in ES framework and will be available in the list of adaptive response. http://dev.splunk.com/view/addon-builder/SP-CAAAFBS

0 Karma

wlight600
Engager

I create it with manual, so I want to know manual to do !

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

What's your custom app name which contain alert action config ? and can you please provide ES app_imports_update://update_es configuration ?

0 Karma

wlight600
Engager

I set it in App Import Updates in ES.
Application Regular Expression: (appsbrowser)|(phantom)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)|(send_notify)|(sao)
Last two name are my app name,is this set right?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

That looks good, have you updated it via modifying conf file directly OR have you updated in Splunk ES Web ? If you updated it via modifying conf file directly then you need to restart splunk.

EDIT: You need to restart Splunk no matter how you modified it. See point 6 and 5 on this doc https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps#Import_add-ons_with_a_differ...

0 Karma

wlight600
Engager

Uh,official doc was misleaded me. I set up param.cam in alert_actions.conf. It's appeared! Thank you for helping me! ^^

0 Karma

wlight600
Engager

Uh, your first answer is right. I just write html and restart splunk, no need to moidfy configuration.Thnx!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!