Splunk Enterprise Security

The "Run Adaptive Response Actions" is not listing all the alert actions in Splunk where while editing the correlation searches the options are available under "Adaptive Response Actions"

dkolekar_splunk
Splunk Employee
Splunk Employee

Description:
1. I have installed TA-thehive & TA-PagerDuty on Splunk ES search head.
2. While editing the correlation searches I am getting these apps alert options under Adaptive Response Actions. But in incident review panel when I am trying to add the "run adaptive response action" I am getting only the default alert actions, not the hive and PagerDuty.

Architecture: ES v 5.3.1 | Splunk v 7.3.1

Reproduction steps:
1. Install TA-thehive (https://splunkbase.splunk.com/app/4380/) & PagerDuty Addon (https://splunkbase.splunk.com/app/3742/) on ES search head.
2. Edit the correlation search and check for the Adaptive Response Actions, you will see the the-hive & pagerduty as an alert action.
3. Go to the incident review panel. Click "Action" in front of any notable and select "run adaptive response action". the-hive and pagerduty options are not available.

Note:
I suspect this issue might be related to App version compatibility. Meaning,

Splunk ES 5.3.1 is compatible with Splunk Versions: 7.3, 7.2, 7.1
PagerDuty Addon is compatible with Splunk Versions: 7.0, 6.6, 6.5, 6.4, 6.3
TA-thehive Addon is compatible with Splunk Versions: 7.2, 7.1, 7.0, 6.6 **

Screenshots:
1. While editing the correlation search:
alt text

  1. Notable > Action: alt text

Could you please confirm whether this is a default behavior? Or due to version compatibility?

0 Karma
1 Solution

dkolekar_splunk
Splunk Employee
Splunk Employee

"This is as Designed" if you don't have param._cam defined for your alert action. Also, the Incident Review requires that you have "supports_adhoc" set to true.

To Resolve:

$Splunk_Home/etc/apps/TA-thehive/default

[thehive_alert_create_alert]
is_custom = 1
label = create THEHIVE alert(s) (alert action)
description = Create alerts in theHive
icon_path = thehive_logo_small.png
payload_format = json
disabled = 0

Note, that the action is named "thehive_alert_create_alert", and has no param._cam definition. I verified this does not show up on Incident Review.
Next, all I did was add a simple param._cam definition:

[thehive_alert_create_alert]
is_custom = 1
label = create THEHIVE alert(s) (alert action)
description = Create alerts in theHive
icon_path = thehive_logo_small.png
payload_format = json
disabled = 0
param._cam = {"supports_adhoc": true}

Note:Make the changes in $Splunk_Home/etc/apps/app_name/local

View solution in original post

0 Karma

dkolekar_splunk
Splunk Employee
Splunk Employee

"This is as Designed" if you don't have param._cam defined for your alert action. Also, the Incident Review requires that you have "supports_adhoc" set to true.

To Resolve:

$Splunk_Home/etc/apps/TA-thehive/default

[thehive_alert_create_alert]
is_custom = 1
label = create THEHIVE alert(s) (alert action)
description = Create alerts in theHive
icon_path = thehive_logo_small.png
payload_format = json
disabled = 0

Note, that the action is named "thehive_alert_create_alert", and has no param._cam definition. I verified this does not show up on Incident Review.
Next, all I did was add a simple param._cam definition:

[thehive_alert_create_alert]
is_custom = 1
label = create THEHIVE alert(s) (alert action)
description = Create alerts in theHive
icon_path = thehive_logo_small.png
payload_format = json
disabled = 0
param._cam = {"supports_adhoc": true}

Note:Make the changes in $Splunk_Home/etc/apps/app_name/local

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...