Splunk Enterprise Security

modular_actions_invocations macro

btanjialih
Explorer

Hi all,

Does anyone have any knowledge or understanding with the macro "modular_actions_invocations(2)"? This is a macro found in the Splunk_SA_CIM and it was found that it will be executed whenever a user change a status of a notable events in the incident review page.

It would be nice if there's more information on this macro as it seems to be running in the background for a long time whenever it is trigger in one of our clients environment.

Regards,
Benjamin

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

Hey Benjamin,
I believe this macro is what populates the "Adaptive Responses" area of a Notable event when you expand it in incident review. It should be a fairly fast/narrow search and should only be invoked when you expand a particular notable in incident review.

For reference, here's the macro defintion:

tstats allow_old_summaries=true latest(Modular_Actions.action_status) as action_status from datamodel=Splunk_Audit.Modular_Actions where Modular_Actions.action_name!="unknown" (Modular_Actions.sid=$sid$ Modular_Actions.rid=$rid$) OR (Modular_Actions.orig_sid=$sid$ Modular_Actions.orig_rid=$rid$) by _time,nodename,Modular_Actions.action_name,Modular_Actions.sid,Modular_Actions.rid,Modular_Actions.action_mode,Modular_Actions.user span=1s | `drop_dm_object_name("Modular_Actions")` | eventstats latest(action_status) as action_status by action_name,sid,rid | search nodename="Modular_Actions.Modular_Action_Invocations" | sort 0 -_time | join type=outer action_name [| rest splunk_server=local count=0 /services/alerts/alert_actions | spath input=param._cam path=drilldown_uri output=action_drilldown_uri | rename title as action_name,label as action_label | fields action_name,action_label,action_drilldown_uri] | eval action_label=if(isnotnull(action_label),action_label,action_name),epoch_time=_time | fields _time,epoch_time,action_status,action_name,action_label,action_mode,action_drilldown_uri,sid,rid,user

btanjialih
Explorer

Hi kchamplin,

Thanks for the explanation! Is there an official documentation on this from Splunk? It would be great to learn more about this!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...