IBM QRadar SOAR

Hello,

I am running into an issue with the Resilient Integration for Splunk and Splunk ES app for Splunk. The app contains a file called alert_actions.conf which appears to be used to control manual adaptive response actions. Our organization has multiple alerts which do not always have the same field names. For example, depending on an alert, the user field could be $result.user1$ or $result.user2$, etc. Right now I am setting multiple Splunk field names to be mapped to a single Resilient field, then I am parsing our the extra pieces through python scripting in the Resilient platform. Is there a better way to do this? I know I can get this to work through correlation searches automatically, but we are sending events to Resilient manually so this will not work. Has anyone got this working or knows of a way to get this to work? (maybe multiple alert_actions.conf that can be determined based on a condition in an alert?).

------------------------------
Alex
------------------------------

Can you create multiple alerts? 

Yongjian

------------------------------
Yongjian Feng
------------------------------

Original Message:
Sent: 04-01-2019 10:38 AM
From: Alexander Lombardi
Subject: Resilient Integration for Splunk and Splunk ES

Hello,

I am running into an issue with the Resilient Integration for Splunk and Splunk ES app for Splunk. The app contains a file called alert_actions.conf which appears to be used to control manual adaptive response actions. Our organization has multiple alerts which do not always have the same field names. For example, depending on an alert, the user field could be $result.user1$ or $result.user2$, etc. Right now I am setting multiple Splunk field names to be mapped to a single Resilient field, then I am parsing our the extra pieces through python scripting in the Resilient platform. Is there a better way to do this? I know I can get this to work through correlation searches automatically, but we are sending events to Resilient manually so this will not work. Has anyone got this working or knows of a way to get this to work? (maybe multiple alert_actions.conf that can be determined based on a condition in an alert?).

------------------------------
Alex
------------------------------

I have multiple alerts already created, they are correlation searches that trigger a notable event. From the notable event my analysts then go to the Incident Review dashboard and manually send over the alert to Resilient. When a analyst sends to the "data" over to Resilient through the adaptive response, the values I entered from alerts_actions.conf are all showing, I am wondering how I can customize this so that the fields sync with the fields from the different unique alerts.

------------------------------
Alexander Lombardi
------------------------------

Original Message:
Sent: 04-01-2019 11:49 AM
From: Yongjian Feng
Subject: Resilient Integration for Splunk and Splunk ES

Can you create multiple alerts? 

Yongjian

------------------------------
Yongjian Feng

Original Message:
Sent: 04-01-2019 10:38 AM
From: Alexander Lombardi
Subject: Resilient Integration for Splunk and Splunk ES

Hello,

I am running into an issue with the Resilient Integration for Splunk and Splunk ES app for Splunk. The app contains a file called alert_actions.conf which appears to be used to control manual adaptive response actions. Our organization has multiple alerts which do not always have the same field names. For example, depending on an alert, the user field could be $result.user1$ or $result.user2$, etc. Right now I am setting multiple Splunk field names to be mapped to a single Resilient field, then I am parsing our the extra pieces through python scripting in the Resilient platform. Is there a better way to do this? I know I can get this to work through correlation searches automatically, but we are sending events to Resilient manually so this will not work. Has anyone got this working or knows of a way to get this to work? (maybe multiple alert_actions.conf that can be determined based on a condition in an alert?).

------------------------------
Alex
------------------------------

I see. You are talking about the manual escalation.

If I understand it right, this is a limitation of the Splunk Add-on framework. Each alert handler can have only one alerts_actions.conf. 

You might want to post a question to answers.splunk.com also to see if other Splunk users have better approaches. 

Thanks,

Yongjian

------------------------------
Yongjian Feng
------------------------------

Original Message:
Sent: 04-01-2019 11:55 AM
From: Alexander Lombardi
Subject: Resilient Integration for Splunk and Splunk ES

I have multiple alerts already created, they are correlation searches that trigger a notable event. From the notable event my analysts then go to the Incident Review dashboard and manually send over the alert to Resilient. When a analyst sends to the "data" over to Resilient through the adaptive response, the values I entered from alerts_actions.conf are all showing, I am wondering how I can customize this so that the fields sync with the fields from the different unique alerts.

------------------------------
Alexander Lombardi

Original Message:
Sent: 04-01-2019 11:49 AM
From: Yongjian Feng
Subject: Resilient Integration for Splunk and Splunk ES

Can you create multiple alerts? 

Yongjian

------------------------------
Yongjian Feng

Original Message:
Sent: 04-01-2019 10:38 AM
From: Alexander Lombardi
Subject: Resilient Integration for Splunk and Splunk ES

Hello,

I am running into an issue with the Resilient Integration for Splunk and Splunk ES app for Splunk. The app contains a file called alert_actions.conf which appears to be used to control manual adaptive response actions. Our organization has multiple alerts which do not always have the same field names. For example, depending on an alert, the user field could be $result.user1$ or $result.user2$, etc. Right now I am setting multiple Splunk field names to be mapped to a single Resilient field, then I am parsing our the extra pieces through python scripting in the Resilient platform. Is there a better way to do this? I know I can get this to work through correlation searches automatically, but we are sending events to Resilient manually so this will not work. Has anyone got this working or knows of a way to get this to work? (maybe multiple alert_actions.conf that can be determined based on a condition in an alert?).

------------------------------
Alex
------------------------------