Splunk Enterprise Security

modular_actions_invocations macro

btanjialih
Explorer

Hi all,

Does anyone have any knowledge or understanding with the macro "modular_actions_invocations(2)"? This is a macro found in the Splunk_SA_CIM and it was found that it will be executed whenever a user change a status of a notable events in the incident review page.

It would be nice if there's more information on this macro as it seems to be running in the background for a long time whenever it is trigger in one of our clients environment.

Regards,
Benjamin

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

Hey Benjamin,
I believe this macro is what populates the "Adaptive Responses" area of a Notable event when you expand it in incident review. It should be a fairly fast/narrow search and should only be invoked when you expand a particular notable in incident review.

For reference, here's the macro defintion:

tstats allow_old_summaries=true latest(Modular_Actions.action_status) as action_status from datamodel=Splunk_Audit.Modular_Actions where Modular_Actions.action_name!="unknown" (Modular_Actions.sid=$sid$ Modular_Actions.rid=$rid$) OR (Modular_Actions.orig_sid=$sid$ Modular_Actions.orig_rid=$rid$) by _time,nodename,Modular_Actions.action_name,Modular_Actions.sid,Modular_Actions.rid,Modular_Actions.action_mode,Modular_Actions.user span=1s | `drop_dm_object_name("Modular_Actions")` | eventstats latest(action_status) as action_status by action_name,sid,rid | search nodename="Modular_Actions.Modular_Action_Invocations" | sort 0 -_time | join type=outer action_name [| rest splunk_server=local count=0 /services/alerts/alert_actions | spath input=param._cam path=drilldown_uri output=action_drilldown_uri | rename title as action_name,label as action_label | fields action_name,action_label,action_drilldown_uri] | eval action_label=if(isnotnull(action_label),action_label,action_name),epoch_time=_time | fields _time,epoch_time,action_status,action_name,action_label,action_mode,action_drilldown_uri,sid,rid,user

btanjialih
Explorer

Hi kchamplin,

Thanks for the explanation! Is there an official documentation on this from Splunk? It would be great to learn more about this!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...