Not sure why I see all my alert option in searching and reporting, but when I look in enterprise security web hooks and pager duty are not in the drop-down. I have checked the action permissions and they are global, and I and 100 admin of the system. not sure if its ES or what... I feel like I should see at least the web hooks option in ES? Thanks in advance.
Found the answer for ES at least.
Found the fix. We had to add the pager duty the follow string: to the app imports update
([DST]A-.)|(Splunk_[DST]A_.)|(SplunkEnterpriseSecuritySuite)|(SecKit_[DST]A_.*)|(alert_governance)|(SA-org_custom_content)|(utbox)|(pagerduty_incidents)
Now its an alert option in ES as wel and works FYI.
Found the answer for ES at least.
Found the fix. We had to add the pager duty the follow string: to the app imports update
([DST]A-.)|(Splunk_[DST]A_.)|(SplunkEnterpriseSecuritySuite)|(SecKit_[DST]A_.*)|(alert_governance)|(SA-org_custom_content)|(utbox)|(pagerduty_incidents)
Now its an alert option in ES as wel and works FYI.
Where is the " to the app imports update" is that a .conf or .py file somewhere in Splunk or the TA?
I want to know where to paste the string:
([DST]A-.)|(Splunk_[DST]A_.)|(SplunkEnterpriseSecuritySuite)|(SecKit_[DST]A_.*)|(alert_governance)|(SA-org_custom_content)|(utbox)|(pagerduty_incidents)
Thanks for your help.
Found where to paste the string:
https://docs.splunk.com/Documentation/ES/4.7.1/Install/ImportCustomApps#Import_add-ons_with_a_differ...
I had the same issue. Here's what I did to do to make it work:
Now it shows up and I'm successfully able to have it send me alerts when my correlation searches fire.
Hope this helps,
-Dan
The slack app was updated this week to use the naming convention TA- and AR support.
Just because something is coded as an alert action does not mean the developer made them into ES compatible Adaptive Responses. There is extra setup for that. My expectation is those are not built to be explicitly adaptive responses for ES.
@Starcher is correct - the ES import fix will allow it to show up as an alert option in the correlation search builder, but there's underlying functionality that will not work (such as UI updates, etc). There's a canonical example for how to implement an AR action:
http://dev.splunk.com/view/enterprise-security/SP-CAAAFBH
Note that eventtypes and tags are an important part for the drilldown capability to work, and you also need to implement the action as a subclass of a ModularAction, so things like the logging format, and other class methods (addevent and writeevents) are used.