As highlighted in above image, is it possible to change this success status message to show my own details for the custom adaptive response action which I have created?
Basically my requirement after running the action, I want to give some external clickable URL to user on UI.
If you have any other suggestion that is also welcome.
Also it will be good to know if we can override/update things by using JavaScript here.
Thank you.
My recommendation would be to use the "drilldown_uri" specification within the Common Action Model to create a custom workflow:
## my_app/default/alert_actions.conf
action.<action>.param._cam = { <stuff> }
## drilldown_uri: Specifies a custom target for viewing the events
## outputted as a result of the action.
## Custom target can specify app and/or view depending on syntax.
## Optional.
## For instance, "my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"
See Splunk_SA_CIM/README/alert_actions.conf.spec for full Common Action Model specification
@hazekamp
Thanks your your response.
I will try using this but will this drilldown URL be visible on UI? if yes then where I can view that?
We use this to construct the hyperlink for the "Response" column in the Adaptive Response table within Incident Review.
I got it. I think drilldown_uri can help to get what I actually want, but I am not able to generate URI for that, I mean I want to create the URI using hostname and SrcIP from my event details for which I have added variables in URI in alert_actions.conf but those variables are not getting replaced with actual values whereas I am getting expected values in my alert python script.
Also, depending on what you are trying to do, since the sid (search ID) is passed in, it will narrow down the results of that drilldown to the results of the notable event. Furthermore, the rid value should be incrementing for each result "row" (each item returned from your correlation search) - so that you can get the same net effect of drilling down to the details of the notable (which if your notable is operating on src_ip, dest, etc. means you'll get close to the same conclusion).
We don't do full blown token replacement here. We simply replace on $sid$ and $rid$ at this juncture. You are more than welcome to file an enhancement request.
Hi @hazekamp
is it possible to add other parameters from splunk event into drilldown_uri along with $sid$ and $rid$?
For example : src_ip, dest, host etc?
Or can create a new view in splunk ES where I can redirect using drilldown_uri and will it be possible to access these fields?
If memory serves, the tokens are limited to the following:
sid
rid
time
earliest
latest
action_name
That said if you "redirect" to the search bar, or a custom dashboard with something like the below,
"/SplunkEnterpriseSecuritySuite/search?q=search notable
| search orig_sid=$sid$&earliest=-24h&latest=now"
That should pull up the notables associated with that sid (which is what incident review is basically doing already, it's just an example), you could of course change that search to go looking for IP addresses or other information - but the short answer is that those fields can't get passed into a new view from incident review - you need to figure out how to surface them manually.
Per @smoir and @hazekamp that particular message is simply an acknowledgment that Splunk was able to dispatch the action, not an indication of the status of the action itself. To determine if the dispatched action was successful, merely examine the "Adaptive Responses" area of the expanded Notable Event:
@kchamplin
Thanks for your reply.
How can I add last Action column in Adaptive Responses (in the table you have highlighted in your screenshot)?
And can I add my own external clickable URL there?
@niteshp, this is hardcoded in the javascript modal. I'd be interested to hear more about your use case for this. Are you attempting to set up some sort of "runbook" functionality to follow this custom adaptive response action?
@smoir
Thanks for your response.
Basically my use case is after running my custom adaptive response action, I want to provide an external clickable URL to user so that user can just click on that and jump to that location for further investigation.