Splunk Enterprise Security

Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

irsysintegratio
Path Finder

Hello,

We have an AR Action, and it works fine with correlation search. But when we try to invoke it as adhoc action, it failed with the following error message:
ActiveResponseException: Invalid parameter for adhoc modular action.

Now we use sendalert command in our alert_actions.conf, so according to the Splunk document, it should support adhoc invocation. The command we use in our alert_actions.conf follows the Splunk example for adaptive response:
command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" param.action_name=$action_name$ | stats count

None of the log files in $SPLUNK_HOME/var/log/splunk folder provides useful information. How can we debug this please?

Thanks!

0 Karma
1 Solution

irsysintegratio
Path Finder

I am going to answer my question. 🙂

From help from Splunk ES support, it turns out each field (parameter) in the alert UI must be specified in the alert_actions.conf (and defined in the alert_actions.conf.spec). This is not required for invocation from correlation search.

View solution in original post

simon_lavigne
Path Finder

@jawaharas can you upload the screenshot again? Getting a 403.

0 Karma

jawaharas
Motivator

Here you go - http://prnt.sc/p40i0c

Just create fields in alert_actions.conf corresponding to each field in the 'Adaptive Response Action' page.

0 Karma

simon_lavigne
Path Finder

Thanks @jawaharas, just so happens I'm fault finding the TheHive add-on too

0 Karma

jawaharas
Motivator

A picture speaks a thousand words - https://prnt.sc/

Just create fields in alert_actions.conf corresponding to each field in the 'Adaptive Response Action' page.

0 Karma

irsysintegratio
Path Finder

I am going to answer my question. 🙂

From help from Splunk ES support, it turns out each field (parameter) in the alert UI must be specified in the alert_actions.conf (and defined in the alert_actions.conf.spec). This is not required for invocation from correlation search.

jamesbrock
Path Finder

did you have to break out the command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" into individual fields and add each to the spec file ?

0 Karma

hazekamp
Builder

No, you do not have to specify things like action_name, results_file, results_link, etc as these are internal to sendalert. This error commonly occurs when you define parameters in the action HTML that aren't represented in alert_actions.conf.spec and alert_actions.conf...

0 Karma

lakshman239
SplunkTrust
SplunkTrust

When we develop a TA using add-on builder and then update the alert actions, as part of packaging/merging, the add-on builder doesn't merge the local/alert_actions.conf to default, causing this issue. possibly its a bug in add-on builder?

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

AoB will merge those BTW - you need to export it as an SPL package - which is the last option in the project flow in AoB.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Kyle - I did validate the package, exported the spl file and looked at the contents of the alert_action.conf and it was different from the contents in the local folder. So, merge didn't happen. I used AOB 2.2.0

0 Karma

lakshman239
SplunkTrust
SplunkTrust

So, my invocation via correlation search worked, but not via adhoc means. After i merged them manually (as per spec), both worked.

0 Karma

hazekamp
Builder

I'm not exactly sure what we're referring to with respect to "add-on builder doesn't merge the local/alert_actions.conf" to default. When you install the app, Splunk's API will dynamically layer local configurations onto the defaults, so while the best practice would be to ship everything in default, this should not be the source of your breakage.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

unfortunately, the AOB didn't package them on to default, overwritting the old version of alert_actions.conf.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...