Splunk Enterprise Security

adaptive response action handling multiple results

Path Finder


A question about "Example adaptive response action" given in dev.splunk.com/view/enterprise-security/SP-CAAAFBH.

How does it handle more than one result?

When this adaptive response action(ARA) is added to (handling) a correlation search, users can put in mappings. For example, user can enter
description: $result.user$

Then result.user will be mapped to the configuration of this ARA. For example, if result.user is "user1", then in the dowork method of the ARA, if we look at self.configuration["description"], we will get "user1". This is good.

However what happens if ARA needs to handle more than one result? For example, the first result has result.user="user1" and the second result has result.user="user2". Now self.configuration["description"] in dowork method always shows "user2". This mapping is only good for the second result.

How shall we handle the first result then? We don't have the mapping information (description:$result.user$) entered by the user. The self.configuration contains the already substituted/mapped configuration for the second result. How can we figure out that description for the first result shall be "user1" here then?

Thank you very much for your help.

0 Karma


You should handle multiple results within your AR code. You will have easiest time if you use the Add On Builder to make your AR.

0 Karma