All Apps and Add-ons

TA-threatconnect invalid keys in in alert_actions.conf; Splunk ES Adaptive Response Actions menu malfunction


How can we resolve some errors when restarting splunkd on our Splunk ES search-head?:
Invalid key in stanza [sendtoplaybook] in /opt/splunk/etc/apps/TA-threatconnect/default/alert_actions.conf, line 6: param.playbook_endpoint (value: ).
Invalid key in stanza [sendtoplaybook] in /opt/splunk/etc/apps/TA-threatconnect/default/alert_actions.conf, line 7: param.fields (value: ).
Value in stanza [sourcetype=sendtoplaybook:results] in /opt/splunk/etc/apps/TA-threatconnect/default/tags.conf, line 1 not URL encoded: sourcetype = sendtoplaybook:results

TA-threatconnect/default/alert_actions.conf is causing the Adaptive Response Actions menu to malfunction on our Splunk ES search-head.
To recreate: Open Enterprise Security -> Configure -> Content Management -> Select a Correlation Search to Edit -> Scroll to bottom of page.
Issues: Under "Adaptive Response Actions", selections " Risk Analysis" and "Notable" are missing. Selecting "+ Add New Response Action" opens an empty selection menu.

Removing TA-threatconnect/default/alert_actions.conf mitigates the splunk startup errors and the Adaptive Response Actions menu malfunction.

Any suggestions and/or fixes are welcome.

0 Karma


It looks like those errors/warning messages are related to missing .spec files, Do you have any .spec files in /opt/splunk/etc/apps/TA-threatconnect/README/ directory ?

I don't have any clue why it is causing Menu malfunction when trying to select other Adaptive Response actions.

0 Karma

New Member

This issue with the invalid key warning on startup was addressed by adding the appropriate spec files in the latest release of the App (version 3.1.4). An upgrade of the App should remove these warnings.

The missing menu items would require some more research. Is the same issue observed when using the ad-hoc AR actions?

0 Karma


Thanks for the prompt response. I see that 3.1.4 was released today. I installed it and observed no errors with alert_actions.conf upon deployment. FWIW, I see this message in splunkd.log:

03-27-2019 16:09:49.509 -0400 INFO DeployedApplication - Installing app=TA-threatconnect to='/opt/splunk/etc/apps/TA-threatconnect'
03-27-2019 16:09:49.579 -0400 ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/TA-threatconnect/metadata/default.meta: No such file or directory
03-27-2019 16:09:49.956 -0400 INFO ApplicationManager - Detected app modification: TA-threatconnect

However, the file default/data/ui/alerts/sendtoplaybook.html is still causing issues with the AR actions part of the Edit Correlation Search panel. When default/data/ui/alerts/sendtoplaybook.html is removed, AR actions selection operates normally.

.> Is the same issue observed when using the ad-hoc AR actions?
Forgive me - I'm not familiar with the ES terminology yet.

When sendtoplaybook.html is in place, the "Add New Response Action" selection appears, but selecting/expanding it results in an empty selection list. i.e., this list of actions does not appear:
Send email
Run a script
Stream Capture
Create Splunk messages
Add Threat Intelligence

In addition, "Risk Analysis" and "Notable" selections do not appear, so cannot be selected to open up the respective configuration sub-menus.

Does this answer the question about "ad-hoc AR actions"?

0 Karma

New Member

After updating to the latest Splunk and ES we see the same issue. We will release a 3.1.5 version to address the issue.

0 Karma


I just installed the 3.1.5 version and verified that the previously observed issue with Splunk ES Adaptive Response Actions is resolved. Thank you for the prompt response to our request for help!

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>