Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adaptive Response & Notable Race Condition

ericl42
Path Finder
‎12-11-2019 08:04 AM

We utilize adaptive response rules quite a bit within Splunk and have had quite a bit of success manually running them after the notable event is created.

Recently we have had a few use cases where we want an adaptive response rule to automatically run once the notable event is tripped and then close out the notable. The issue I'm having is that it appears to be some race condition where if I create a correlation rule that has both the action of create a notable and run my adaptive response rule, it's not working.

With my adaptive response action, I normally pull variables from the notable and then auto update it but I'm not sure how to do all of that after the notable is created.

Has anyone doing something along these lines? Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎12-11-2019 08:48 AM

Hello @ericl42 - there isn't a straightforward way to achieve what you're asking, with the current implementation of alert actions w/in Splunk Enterprise (this is what Adaptive Response is built on top of). Right now, all alert/adaptive response actions attached to a correlation search, run basically simultaneously. This means that things that are search-time constructs like the notable id (aka "rule_id") value that would be used to update the stats of a Notable, doesn't yet exist and is therefore not accessible to other AR actions being run. Your best bet is to set up an external saved search that looks for the "source" value of the notable(s) you want to auto-close, and attach your AR action to that saved search. This should allow you to access the value of "rule_id" from those search results and you can then operate on that notable as you see fit.

View solution in original post

Reply
Solved! Jump to solution
Solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎12-11-2019 08:48 AM

Hello @ericl42 - there isn't a straightforward way to achieve what you're asking, with the current implementation of alert actions w/in Splunk Enterprise (this is what Adaptive Response is built on top of). Right now, all alert/adaptive response actions attached to a correlation search, run basically simultaneously. This means that things that are search-time constructs like the notable id (aka "rule_id") value that would be used to update the stats of a Notable, doesn't yet exist and is therefore not accessible to other AR actions being run. Your best bet is to set up an external saved search that looks for the "source" value of the notable(s) you want to auto-close, and attach your AR action to that saved search. This should allow you to access the value of "rule_id" from those search results and you can then operate on that notable as you see fit.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...