Splunk ITSI

Custom Alert Action in ITSI

bstimely
New Member

I created a custom alert action in Splunk Enterprise. When I try to use that action in ITSI for a correlated search, I don't see it as an option. How do I utilize my customer alert action inside ITSI?

Labels (2)
0 Karma

cdemir
Explorer

Using custom alert actions in ITSI is a little different than in ES. If you wish to use a custom alert action for an event generated by a correlation search, you have to set it up as an action rule on an aggregation policy. You also have to configure the custom alert action in a conf file to be selectable as an action against an event. Parameters to invoke the action are configured as part of the policy.

There’s not a whole lot of documentation on this, but there is some to help you get started on docs.

Edit*** I would also like to add that you could technically just use your custom alert action from ES on ITSI events and episodes. Episode information is indexed in itsi_grouped_alerts and notable events are indexed in itsi_tracked_alerts. If the SHC with itsi installed is running from the same indexer cluster as your deployment of ES, you can search the itsi internal indexes from ES as well.

0 Karma

bstimely
New Member

I used this as a reference. I have it running OK in Enterprise. I just want to reuse the action from ITSI.
https://docs.splunk.com/Documentation/Splunk/8.0.2/AdvancedDev/ModAlertsIntro

0 Karma

bstimely
New Member

Yes, it is.

0 Karma

darrenfuller
Contributor

Is the new alert action a modular alert?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...