Splunk Enterprise Security

How can I Pass/access Notable Event fields to Adaptive Response python script?

dant98
Engager

I've created a correlation search that generates Notable events and I have a few fields that are extracted and displayed as additional fields in Incident Review.

I've used Add-On builder to create an adaptive response action for these notable event types. How can I get the values of fields in the notable event within the Adaptive Response python code? The analyst shouldn't have to copy and paste these by hand into input fields.

0 Karma

ro_mc
Path Finder

If you're referring to the adaptive response in the correlation search itself, as opposed to the contextual dropdown in the additional fields, you could try using a sequence template to pass relevant fields like event_id from the original correlation search into a subsequent correlation search, and then trigger the response from there.

Is there a specific reason you want this to be implemented in Python code rather than a GUI-driven workflow?

NB: This solution is untested, so please let us know whether this works for you.

0 Karma

MaverickT
Communicator

I've managed to get Notable event_id for adaptive responsive action. There is a couple of things I figured out during the whole processor. Sometimes the "notable event" response action is run before custom action. You have to make sure, that your action is run after the Notable event. How you do it? I managed it by adding "x" in front of my custom responsive action.

Secondly, the event_id is not populated if adaptive action is run automatically. It's time to dive in and get the event_id from index, based on search id.

Here is my code, that checks if network ports are opened on target device and writes information into the KV store:

import socket
import json
import splunklib.client
import splunklib.results as results

# encoding = utf-8
def scanner(target, port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(1)

    try:
        sock.connect((target, port))
        sock.shutdown(socket.SHUT_RDWR)
        return True
    except:
        return False
    finally:
        sock.close()

def process_event(helper, *args, **kwargs):    

    helper.log_info("Alert action x_scan_device_open_ports started.")

    ports = [21, 22, 23, 25, 53, 80, 110, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8000, 8080, 8089, 9997]


    scan_target_event_field = helper.get_param("scan_target_event_field")
    splunkservice = splunklib.client.connect(host='localhost', port=8089, token=helper.session_key, owner="nobody")
    kvstoreCollection = splunkservice.kvstore["adaptive_response_enrichment"]

    sid = helper.sid

    events = helper.get_events()
    for event in events:

        scan_host = event.get(str(scan_target_event_field))
        event_id = event.get("event_id")

        portscan = ""

        for portNumber in ports:
            if scanner(scan_host, portNumber):
                portscan += "[*] Port " +  str(portNumber) + "/tcp is open\n"

        if len(portscan) > 5:
            jobs = splunkservice.jobs
            if event_id is None or len(event_id) < 10: 
                helper.log_info("Event_id not in search data, time to find it in splunk index")
                kwargs_blockingsearch = {"earliest_time": "-1h", 
                                         "latest_time": "now"}
                search_query = "SEARCH index=notable [SEARCH index=cim_modactions sid=\"" + helper.sid +"\" action_name=\"notable\"  action_status=success | head 1 | rename sid as orig_sid | table orig_sid] | eval `get_event_id_meval` | table event_id"
                search_results = jobs.oneshot(search_query, **kwargs_blockingsearch)
                reader = results.ResultsReader(search_results)
                for item in reader:
                    event_id=item["event_id"]
                helper.log_info("Assigned event_id: " + event_id)


            kvstoreCollection.data.insert(json.dumps({"event_id": event_id, "enrichment_data": portscan}))
        helper.log_info("Portscan result: " + portscan)

    helper.log_info("Alert action x_scan_device_open_ports finished.")
    return 0

Stjubit
Explorer

This does not quite work for me. I have the exact same issue: I want to get the event_id of the notable when the adaptive respone action was triggered by a correlation search.

I tested the code you provided, but the event is not yet in the notable index when the search is running. This are the relevant parts of the code:

if(("event_id" in event) == False):
    search_event_in_index(helper, splunklibClient)

def search_event_in_index(helper, splunklibClient):
    jobs = splunklibClient.jobs
    oneshot_params = {
        "earliest_time": "-1h", 
        "latest_time": "now"
    }
    
    search_query = "SEARCH `notable` | eval `get_event_id_meval` | table event_id, _time, test"
    search_results = jobs.oneshot(search_query, **oneshot_params)
    reader = results.ResultsReader(search_results)

    for item in reader:
        helper.log_debug("ehm wtf: {}".format(item))

 

I can see all events except the notable event that triggered the adaptive response action.

I don't know how I should solve this... Any help greatly appreciated!

~ Julian

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Thx @MaverickT . The only addition I would do is use the sid and rid to get to the correct event_id, as if the correlation search returns more than 1 result, we will get multiple event_ids. So, using rid will help us to get the single event_id.
search_query="SEARCH notable |search orig_sid=\""+helper.sid+"\" AND orig_rid=\"" +helper.rid + "\" | table event_id"

monty_the_real
New Member

Hi,
If we are using Cluster based Splunk then how can we get the cookie here?

0 Karma

peter_krammer
Communicator

I don't know if it is still relevant here, but I had success with:

events = helper.get_events() 
for event in events:
    event_id = event.get("event_id")
    helper.log_info("event.get(\"event_id\")={}".format(event_id))

starcher
SplunkTrust
SplunkTrust

Don't use the UI elements. P
Call the helper.get_events and iterate over each row. Each row is a dict of the search results for that row. do a get on the column field you want.
http://www.georgestarcher.com/splunk-slides-addon-builder-and-alert-actions/

0 Karma

mwk1000
Path Finder

What about the fields generated by the notable action ? event_id urgency owner etc ? I understand the correlation search result rows but the notable is an adaptive response itself , is there a way to get those added fields as part of an adaptive response assigned to a correlation rule ?

smeier
Path Finder

I'm looking to do something similar.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...