Splunk Enterprise Security

Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed

Path Finder

Hello,

We have an AR Action, and it works fine with correlation search. But when we try to invoke it as adhoc action, it failed with the following error message:
ActiveResponseException: Invalid parameter for adhoc modular action.

Now we use sendalert command in our alert_actions.conf, so according to the Splunk document, it should support adhoc invocation. The command we use in our alert_actions.conf follows the Splunk example for adaptive response:
command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" param.action_name=$action_name$ | stats count

None of the log files in $SPLUNK_HOME/var/log/splunk folder provides useful information. How can we debug this please?

Thanks!

0 Karma
1 Solution

Path Finder

I am going to answer my question. 🙂

From help from Splunk ES support, it turns out each field (parameter) in the alert UI must be specified in the alert_actions.conf (and defined in the alert_actions.conf.spec). This is not required for invocation from correlation search.

View solution in original post

Path Finder

@jawaharas can you upload the screenshot again? Getting a 403.

0 Karma

Motivator

Here you go - http://prnt.sc/p40i0c

Just create fields in alert_actions.conf corresponding to each field in the 'Adaptive Response Action' page.

0 Karma

Path Finder

Thanks @jawaharas, just so happens I'm fault finding the TheHive add-on too

0 Karma

Motivator

A picture speaks a thousand words - https://prnt.sc/

Just create fields in alert_actions.conf corresponding to each field in the 'Adaptive Response Action' page.

0 Karma

Path Finder

I am going to answer my question. 🙂

From help from Splunk ES support, it turns out each field (parameter) in the alert UI must be specified in the alert_actions.conf (and defined in the alert_actions.conf.spec). This is not required for invocation from correlation search.

View solution in original post

Path Finder

did you have to break out the command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" into individual fields and add each to the spec file ?

0 Karma

Builder

No, you do not have to specify things like action_name, results_file, results_link, etc as these are internal to sendalert. This error commonly occurs when you define parameters in the action HTML that aren't represented in alert_actions.conf.spec and alert_actions.conf...

0 Karma

SplunkTrust
SplunkTrust

When we develop a TA using add-on builder and then update the alert actions, as part of packaging/merging, the add-on builder doesn't merge the local/alert_actions.conf to default, causing this issue. possibly its a bug in add-on builder?

0 Karma

Splunk Employee
Splunk Employee

AoB will merge those BTW - you need to export it as an SPL package - which is the last option in the project flow in AoB.

0 Karma

SplunkTrust
SplunkTrust

Kyle - I did validate the package, exported the spl file and looked at the contents of the alert_action.conf and it was different from the contents in the local folder. So, merge didn't happen. I used AOB 2.2.0

0 Karma

SplunkTrust
SplunkTrust

So, my invocation via correlation search worked, but not via adhoc means. After i merged them manually (as per spec), both worked.

0 Karma

Builder

I'm not exactly sure what we're referring to with respect to "add-on builder doesn't merge the local/alert_actions.conf" to default. When you install the app, Splunk's API will dynamically layer local configurations onto the defaults, so while the best practice would be to ship everything in default, this should not be the source of your breakage.

0 Karma

SplunkTrust
SplunkTrust

unfortunately, the AOB didn't package them on to default, overwritting the old version of alert_actions.conf.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!