Use the common action model to build custom alert actions
The common action model is a common information model for alert actions. It is not a data model. Rather, it is a set of tools and best practices for creating alert actions that are consistent, robust, and easy to introspect. Splunk developed the common action model to support the adaptive response framework in Splunk Enterprise Security, but it is not exclusive to that use case.
The common action model consists of three components:
- a
cim_actions.py
library, which assists developers with building alert actions in a way that conforms to the common action model. - a JSON spec in
alert_actions.conf.spec
, which classifies actions and specifies other metadata expected by the adaptive response framework. - an extension to the Splunk Audit Logs data model that describes the introspection event data produced by alert actions that conform to the common action model.
Developers can use these components to design new alert actions or adaptive response actions or refactor existing custom actions to comply with the model. You can incorporate the common action model into your manual development process, or you can use the Splunk Add-on Builder, which incorporates the common action model in its custom alert action creation wizard. The Splunk Enterprise Security developer documentation contains a detailed walkthrough of both of these methods of creating an adaptive response action, which is an alert action with special functionality in Splunk Enterprise Security. See Create an adaptive response action on the Splunk developer portal.
Using the cim_actions.py
library
The cim_actions.py
library is located at $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/lib/cim_actions.py
. If you are creating your action manually, import this library so that you can use the methods provided in it. If you are using Add-on Builder to create your action, the code snippet provided on the code editor imports the library for you and provides sample code for the methods available.
Incorporating the JSON spec
The JSON spec is located at $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/README/alert_actions.conf.spec
. It defines the param._cam
attribute and provides its documentation. The same folder also contains alert_actions.conf.example
, which contains two examples of how to follow the spec in your alert_actions.conf
file.
Parameter | Description | Examples |
---|---|---|
category | The category or categories the action belongs to. See cam_categories.csv for recommended values. | Information Conveyance, Information Gathering, Permissions Control, Device Control |
task | The function or functions performed by the action. See cam_tasks.csv for recommended values. | task, block, allow, create, update, delete, scan |
subject | The object or objects that the action's task(s) can be performed on. See cam_subjects.csv for recommended values. | endpoint.file, network.proxy, process.sandbox |
technology | The technology vendor(s), product(s), and version(s) that the action supports. | { "vendor": "Splunk", "product": "Enterprise", "version": ["6.4.3", "6.5.0"] } |
supports_adhoc | Specifies if the action supports ad-hoc invocation from the Actions menu on the Incident Review dashboard in Splunk Enterprise Security. This parameter is only relevant within Splunk Enterprise Security, and defaults to false. | true |
drilldown_uri | An optional customized drilldown for the link that appears the detailed view of a notable event on the Incident Review dashboard in Splunk Enterprise Security. This parameter is only relevant within Splunk Enterprise Security. If you do not want to specify a custom drilldown, remove this parameter, do not leave it blank. If the parameter is not included, the default drilldown URL leads to a search for the result events created by this response action. If you want to specify a target in an app outside Enterprise Security, use the format ../<app_context>/<viewname>?<additional drilldown parameters> . If you are redirecting to a custom view within Enterprise Security, use the format /<viewname>?<additional drilldown parameters> .
|
"../my_app/my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"
|
Modeling introspection data
The Splunk Audit Logs data model has a dataset called Modular_Actions. The cim_actions.py
library's message()
method automatically creates and tags introspection events for this model. See Splunk Audit Logs for details of the fields.
If you have Splunk Enterprise Security installed, go to the Adaptive Response Action Center to view introspection data for all the actions compliant with the common action model.
Accelerate CIM data models | Use the CIM to normalize OSSEC data |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.6.0, 4.7.0, 4.8.0
Feedback submitted, thanks!