I am currently in the process of building out a custom application which will include an adaptive response action that uses a python script to update a system's group based on events that come into our incident review page. I have all of the logic working (Correlation search identifies an event, creates a notable, from there I can select the AR action, input this systems GUID into the text box and it will go from there). My issue is that I cannot get the correct configuration to have this field prepopulated when the menu is brought up based on the event in the notable. The configuration files I believe need to be updated are the alert_actions.conf, alert_actions.conf.spec, savedsearches.conf.spec, and <alert_action_name>.html files. I have found some similar posts about this but nothing that gives details about the syntax needed for each file: https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-the-service-now-integration-work-as-an-ad-hoc-adaptive/m-p/437270 https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Is-it-possible-to-prepopulate/m-p/251952 In my various config files I have the following lines: alert_actions.conf: param.hostname = $result.hostname$ param.connector_guid =$result.connector_guid$ alert_actions.conf.spec param.hostname = <string> param.cguid = <string> savedsearches.conf.spec param.hostname = <string> param.cguid = <string> <alert_action_name>.html <form class="form-horizontal form-complex">
<div class="control-group">
<label class="control-label" for="custom_app_hostname">Hostname <span class="required">*</span> </label>
<div class="controls">
<input type="text" name="action.custom_app.param.hostname" value="$hostname$" id="custom_app_hostname"/>
<span class="help-block">Verify this is the correct hostname, if not then input from the alert.</span>
</div>
</div>
<div class="control-group">
<label class="control-label" for="custom_app_cguid">Connector GUID <span class="required">*</span> </label>
<div class="controls">
<input type="text" name="action.custom_app.param.connector_guid" value="$connector_guid$" id="custom_app_cguid"/>
</div>
</div>
</form> Below is the screenshot of the menu I am referring to needing to be prepopulated:
... View more