Splunk Enterprise Security

adaptive response action handling multiple results

Path Finder

Hello,

A question about "Example adaptive response action" given in dev.splunk.com/view/enterprise-security/SP-CAAAFBH.

How does it handle more than one result?

When this adaptive response action(ARA) is added to (handling) a correlation search, users can put in mappings. For example, user can enter
description: $result.user$

Then result.user will be mapped to the configuration of this ARA. For example, if result.user is "user1", then in the dowork method of the ARA, if we look at self.configuration["description"], we will get "user1". This is good.

However what happens if ARA needs to handle more than one result? For example, the first result has result.user="user1" and the second result has result.user="user2". Now self.configuration["description"] in dowork method always shows "user2". This mapping is only good for the second result.

How shall we handle the first result then? We don't have the mapping information (description:$result.user$) entered by the user. The self.configuration contains the already substituted/mapped configuration for the second result. How can we figure out that description for the first result shall be "user1" here then?

Thank you very much for your help.

0 Karma

SplunkTrust
SplunkTrust

You should handle multiple results within your AR code. You will have easiest time if you use the Add On Builder to make your AR.
http://www.georgestarcher.com/splunk-slides-addon-builder-and-alert-actions/

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!