Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why aren't Enterprise Security Webhooks and PagerDuty in the dropdown in ES Adaptive Response?

tonymorin
Explorer
‎08-11-2017 10:43 AM

Not sure why I see all my alert option in searching and reporting, but when I look in enterprise security web hooks and pager duty are not in the drop-down. I have checked the action permissions and they are global, and I and 100 admin of the system. not sure if its ES or what... I feel like I should see at least the web hooks option in ES? Thanks in advance.
alt text

Preview file
66 KB
Preview file
22 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tonymorin
Explorer
‎11-16-2017 08:30 AM

Found the answer for ES at least.
Found the fix. We had to add the pager duty the follow string: to the app imports update
([DST]A-.)|(Splunk_[DST]A_.)|(SplunkEnterpriseSecuritySuite)|(SecKit_[DST]A_.*)|(alert_governance)|(SA-org_custom_content)|(utbox)|(pagerduty_incidents)
Now its an alert option in ES as wel and works FYI.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tonymorin
Explorer
‎11-16-2017 08:30 AM

Found the answer for ES at least.
Found the fix. We had to add the pager duty the follow string: to the app imports update
([DST]A-.)|(Splunk_[DST]A_.)|(SplunkEnterpriseSecuritySuite)|(SecKit_[DST]A_.*)|(alert_governance)|(SA-org_custom_content)|(utbox)|(pagerduty_incidents)
Now its an alert option in ES as wel and works FYI.

0 Karma
Reply
Solved! Jump to solution

zschmerber
Explorer
‎03-09-2020 04:01 PM

Where is the " to the app imports update" is that a .conf or .py file somewhere in Splunk or the TA?

I want to know where to paste the string:

([DST]A-.)|(Splunk_[DST]A_.)|(SplunkEnterpriseSecuritySuite)|(SecKit_[DST]A_.*)|(alert_governance)|(SA-org_custom_content)|(utbox)|(pagerduty_incidents)

Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

zschmerber
Explorer
‎03-10-2020 04:54 PM

Found where to paste the string:
https://docs.splunk.com/Documentation/ES/4.7.1/Install/ImportCustomApps#Import_add-ons_with_a_differ...

0 Karma
Reply
Solved! Jump to solution

fandharper
Engager
‎08-23-2017 12:51 PM

I had the same issue. Here's what I did to do to make it work:

  1. Changed the name of the app to TA-slack_alerts (probably not necessary)
  2. Added empty tags.conf and eventtypes.conf files to TA-slack_alerts/default
  3. Modified slack.html to use an input instead of a text area due to getting an error stating that there was no message specified even though there was. This was in TA-slack_alerts/default/data/ui/alerts

Now it shows up and I'm successfully able to have it send me alerts when my correlation searches fire.

Hope this helps,

-Dan

Reply
Solved! Jump to solution

starcher
Influencer
‎03-07-2018 09:22 AM

The slack app was updated this week to use the naming convention TA- and AR support.

Reply
Solved! Jump to solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎03-07-2018 10:03 AM

Its https://splunkbase.splunk.com/app/3900/

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎08-14-2017 10:17 AM

Just because something is coded as an alert action does not mean the developer made them into ES compatible Adaptive Responses. There is extra setup for that. My expectation is those are not built to be explicitly adaptive responses for ES.

Reply
Solved! Jump to solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎03-07-2018 09:06 AM

@Starcher is correct - the ES import fix will allow it to show up as an alert option in the correlation search builder, but there's underlying functionality that will not work (such as UI updates, etc). There's a canonical example for how to implement an AR action:
http://dev.splunk.com/view/enterprise-security/SP-CAAAFBH

Note that eventtypes and tags are an important part for the drilldown capability to work, and you also need to implement the action as a subclass of a ModularAction, so things like the logging format, and other class methods (addevent and writeevents) are used.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...