Hello,
I'm trying out a Adaptive response action of VirusTotal which i created by following this site http://dev.splunk.com/view/addon-builder/SP-CAAAFBQ.
The following screnarios are working
Running the Adaptive response on ad-hoc mode where in I have to provide a complete url (like http://www.google.com)as parameter.
Running the Adaptive response from correlation search using Adaptive Response Actions where in I provide a complete url (like http://www.google.com) as parameter.
However on the same correlation search If I try to pass on the parameter as $url$ it fails to execute and I get failure under Notable events details.
The correlation search query is basic one which reads data from a lookup table which contains only one column called url. It returns the URL
Correlation Search query
| inputlookup demoARdata | where isnotnull(url)
Adaptive response action
Error Message in log file VirusTotal_modalert.log
2017-11-27 19:16:38,641 INFO pid=16371 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2017-11-27 19:16:38,642 ERROR pid=16371 tid=MainThread file=cim_actions.py:message:271 | sendmodaction - signature="url is a mandatory parameter, but its value is None." action_name="VirusTotal" search_name="Threat - Splunk alert $url$ - Rule" sid="scheduler_adminSplunkEnterpriseSecuritySuite_RMD5839fb9bced15ebfc_at_1511790360_253" rid="0" app="SplunkEnterpriseSecuritySuite" user="admin" action_mode="saved" action_status="failure"
Not sure where I went wrong? 😞
... View more