Splunk Enterprise Security

Why does the alert action I created with Add-on builder fire in Test, but not as an alert action for a Correlation Search?

shartwell
Explorer

I created an alert action using the latest verison of Add-on Builder (v2.2) using some other Splunk answers posts as a reference. When testing the Alert action in Add-on builder it works and calls the executable correctly sending an event to a ticketing system. When I attempt to use the same code as an alert action for a Correlation Search, it fails. Here's the code from modalert_sendevent_helper.py:

# encoding = utf-8

import os
import sys
import time
import datetime
import subprocess

def process_event(helper, *args, **kwargs):
"""
# IMPORTANT
# Do not remove the anchor macro:start and macro:end lines.
# These lines are used to generate sample code. If they are
# removed, the sample code will not be updated when configurations
# are updated.

[sample_code_macro:start]

# The following example gets the alert action parameters and prints them to the log
title = helper.get_param("title")
helper.log_info("title={}".format(title))

hostname = helper.get_param("hostname")
helper.log_info("hostname={}".format(hostname))

severity = helper.get_param("severity")
helper.log_info("severity={}".format(severity))

sid = helper.get_param("sid")
helper.log_info("sid={}".format(sid))

message = helper.get_param("message")
helper.log_info("message={}".format(message))


# The following example adds two sample events ("hello", "world")
# and writes them to Splunk
# NOTE: Call helper.writeevents() only once after all events
# have been added
helper.addevent("hello", sourcetype="sample_sourcetype")
helper.addevent("world", sourcetype="sample_sourcetype")
helper.writeevents(index="summary", host="localhost", source="localhost")

# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:
    helper.log_info("event={}".format(event))

# helper.settings is a dict that includes environment configuration
# Example usage: helper.settings["server_uri"]
helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
[sample_code_macro:end]
"""

helper.log_info("Alert action sendevent started.")

# TODO: Implement your alert action logic here

# Remove characters that will break SendEvent syntax
title=helper.get_param("title").replace('"', '').replace("'", '')
message=helper.get_param("message").replace('"', '').replace("'", '')
hostname=helper.get_param("hostname").replace('"', '').replace("'", '')
severity=helper.get_param("severity").replace('"', '').replace("'", '')
sid=helper.get_param("sid").replace('"', '').replace("'", '')

# value2="-m "+"'"+variable+"'"
# value6="-s "+helper.get_param("severity")

# TODO: Implement your alert action logic here
value1="send"
value2="-q SplunkES"
value3="-a "+"'"+title+"'"
value4="-n "+"'"+hostname+"'"
value5="-p PROFILE"
value6="-s "+"'"+severity+"'"
value7="-k "+"'"+sid+"'"
value8="-c SERVER"
value9="-m "+"'"+message+"'"
os.system("/opt/splunk/etc/apps/TA-sendevent/bin/SendEvent %s %s %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7,value8,value9))

return 0  

My alert_actions.conf file is below:

[sendevent]
is_custom = 1
description = Send a ticket
payload_format = json
icon_path = alert_sendevent.png
param._cam = {"task": ["create"], "subject": ["splunk.event"], "category": ["Information Conveyance"], "technology": [{"version": ["1.0"], "product": "Splunk Enterprise", "vendor": "Splunk"}]}
label = SendEvent

param.message  =
param.hostname = 
param.sid      =
param.severity = 
param.title    =

I can see my successful attempts in Add-on Builder in the Splunk logs (sendmodalert), but not sure what I'm missing outside of test.
Do I need to specify a command parameter in my alert_actions.conf file above (i.e. command = sendalert sendevent.py)?
I've tried several methods of triggering it in the alert_actions.conf file using command option, but none have worked so far.
Any help is much appreciated.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...