Refactor an existing alert action

All alert actions are available in Splunk Enterprise Security as response actions that can be triggered by correlation searches. In the correlation search editor, ES admins can select all alert actions that have their permissions set so that they are available to all apps. However, standard alert actions are not available for ad-hoc invocation from Incident Review, nor are they categorized with the category, task, subject, and vendor. In addition, alert actions that do not conform to the Common Action Model lack the tags and fields required for auditing on the Adaptive Response Action Center.

As a best practice, refactor your alert action to conform to the Common Action Model defined in the Common Information Model add-on. The Common Action Model consists of a Python library and a JSON specification that, together, provide a consistent, audit-friendly structure for creating alert actions. The Common Action Model Python library promotes consistency and best practices in action code. The JSON specification supplies a mechanism for categorizing actions and communicating parameters recognized by the Adaptive Response framework in Splunk Enterprise Security.

Refactoring your alert action so that it conforms to the Common Action Model involves minor changes and additions to your configuration files and a complete replacement of your alert action script. You can refactor manually or you create a new alert action with Splunk Add-on Builder.


Refactor manually

Prerequisites

Steps

  1. Open your default/alert_action.conf file.
  2. Add the param._cam parameter to this file and provide values for the variables within the JSON object it contains. Refer to the alert_actions.conf.spec in the Common Information Model add-on for information about these variables.
  3. Replace your alert action script file with a new one that utilizes the cim_actions.py library.
  4. Create a default/eventtypes.conf. In this file, define the results produced by the action as an event type, using the source type and index that you specified when you used the writeevents() method in your script. For example,
    [<actionname>] 
    search = index=<someindex> sourcetype=<actionname>:results
  5. Create a default/tags.conf. In this file, include a stanza that tags the event type you created in the previous step with the tag modaction_result. For example,
    [eventtype=<actioname>]
    modaction_result = enabled
  6. Package your app and install it on an instance running Splunk Enterprise Security for testing.

For more information about testing your action, see Validate your response action in Enterprise Security.


Create a new alert action with Add-on Builder instead of refactoring

You may find it more convenient to use Add-on Builder to create a new alert action from scratch instead of refactoring your existing action. See Create an adaptive response action for Enterprise Security in the Add-on Builder documentation. Add-on Builder uses the Common Action Model library and produces the parameters, tags, and fields expected by the Adaptive Response framework.