Custom Alert Action in ITSI

bstimely · ‎03-26-2020

I created a custom alert action in Splunk Enterprise. When I try to use that action in ITSI for a correlated search, I don't see it as an option. How do I utilize my customer alert action inside ITSI?

cdemir · ‎05-04-2020

Using custom alert actions in ITSI is a little different than in ES. If you wish to use a custom alert action for an event generated by a correlation search, you have to set it up as an action rule on an aggregation policy. You also have to configure the custom alert action in a conf file to be selectable as an action against an event. Parameters to invoke the action are configured as part of the policy.

There’s not a whole lot of documentation on this, but there is some to help you get started on docs.

Edit*** I would also like to add that you could technically just use your custom alert action from ES on ITSI events and episodes. Episode information is indexed in itsi_grouped_alerts and notable events are indexed in itsi_tracked_alerts. If the SHC with itsi installed is running from the same indexer cluster as your deployment of ES, you can search the itsi internal indexes from ES as well.

bstimely · ‎03-26-2020

I used this as a reference. I have it running OK in Enterprise. I just want to reuse the action from ITSI.
https://docs.splunk.com/Documentation/Splunk/8.0.2/AdvancedDev/ModAlertsIntro

bstimely · ‎03-26-2020

Yes, it is.

darrenfuller · ‎03-26-2020

Is the new alert action a modular alert?

Custom Alert Action in ITSI

configuration

using ITSI

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team