feat(adaptiveResponse): add verbose details for AR alert action (#1135)

- Contains changes for adaptive response that can be created from the `globalConfig` - Added the supported parameters by AR framework - Updated test cases to reflect the changes - Handled migration of users using `activeResponse` and change it to `adaptiveResponse` - Provided a warning log if any users are using `activeResponse`
splunk · Apr 16, 2024 · b19d678 · b19d678
1 parent 2b269cc
commit b19d678
Show file tree

Hide file tree

Showing 29 changed files with 69 additions and 53 deletions.
diff --git a/splunk_add_on_ucc_framework/commands/modular_alert_builder/alert_actions_conf_gen.py b/splunk_add_on_ucc_framework/commands/modular_alert_builder/alert_actions_conf_gen.py
@@ -102,7 +102,7 @@ def generate_conf(self) -> None:
             alert_name = alert["short_name"]
             alerts[alert_name] = []
             for k, v in alert.items():
-                if k == "active_response":
+                if k == "adaptive_response":
                     new_cam = {
                         sub_k: sub_v
                         for sub_k, sub_v in list(v.items())
@@ -165,7 +165,7 @@ def generate_eventtypes(self) -> None:
 
         # remove the stanza if not checked
         for alert in self._alert_settings:
-            if alert.get("active_response") and alert["active_response"].get(
+            if alert.get("adaptive_response") and alert["adaptive_response"].get(
                 "sourcetype"
             ):
                 continue
@@ -188,7 +188,7 @@ def generate_tags(self) -> None:
 
         # remove the stanza if not checked
         for alert in self._alert_settings:
-            if alert.get("active_response") and alert["active_response"].get(
+            if alert.get("adaptive_response") and alert["adaptive_response"].get(
                 "sourcetype"
             ):
                 continue
@@ -218,9 +218,9 @@ def generate_spec(self) -> None:
             alert_name = alert["short_name"]
             alerts[alert_name] = []
             for k, v in alert.items():
-                if k == "active_response":
+                if k == "adaptive_response":
                     alerts[alert_name].append(
-                        "param._cam = <json> Active response parameters."
+                        "param._cam = <json> Adaptive Response parameters."
                     )
                 elif k == "parameters":
                     for param in v:

diff --git a/...ucc_framework/commands/modular_alert_builder/arf_template/alert_action_helper.py.template b/...ucc_framework/commands/modular_alert_builder/arf_template/alert_action_helper.py.template
@@ -23,9 +23,9 @@ def process_event(helper, *args, **kwargs):
     # and writes them to Splunk
     # NOTE: Call helper.writeevents() only once after all events
     # have been added
-    {% if mod_alert.get("active_response") and mod_alert.active_response.get("sourcetype") %}
-    helper.addevent("hello", sourcetype="{{ mod_alert.active_response.sourcetype }}")
-    helper.addevent("world", sourcetype="{{ mod_alert.active_response.sourcetype }}")
+    {% if mod_alert.get("adaptive_response") and mod_alert.adaptive_response.get("sourcetype") %}
+    helper.addevent("hello", sourcetype="{{ mod_alert.adaptive_response.sourcetype }}")
+    helper.addevent("world", sourcetype="{{ mod_alert.adaptive_response.sourcetype }}")
     {% else %}
     helper.addevent("hello", sourcetype="sample_sourcetype")
     helper.addevent("world", sourcetype="sample_sourcetype")

diff --git a/...add_on_ucc_framework/commands/modular_alert_builder/arf_template/eventtypes.conf.template b/...add_on_ucc_framework/commands/modular_alert_builder/arf_template/eventtypes.conf.template
@@ -1,7 +1,7 @@
 {% for alert in mod_alerts %}
-    {% if alert.get("active_response") and alert.active_response.get("sourcetype") %}
+    {% if alert.get("adaptive_response") and alert.adaptive_response.get("sourcetype") %}
 [{{ alert.short_name }}_modaction_result]
-search = {{ 'sourcetype="' + alert.active_response.sourcetype + '"' }}
+search = {{ 'sourcetype="' + alert.adaptive_response.sourcetype + '"' }}
     {% endif %}
 {% endfor %}
 
diff --git a/splunk_add_on_ucc_framework/commands/modular_alert_builder/arf_template/tags.conf.template b/splunk_add_on_ucc_framework/commands/modular_alert_builder/arf_template/tags.conf.template
@@ -1,5 +1,5 @@
 {% for alert in mod_alerts %}
-    {% if alert.get("active_response") and alert.active_response.get("sourcetype") %}
+    {% if alert.get("adaptive_response") and alert.adaptive_response.get("sourcetype") %}
 [eventtype={{ alert.short_name }}_modaction_result]
 modaction_result = enabled
     {% endif %}

diff --git a/splunk_add_on_ucc_framework/commands/modular_alert_builder/normalize.py b/splunk_add_on_ucc_framework/commands/modular_alert_builder/normalize.py
@@ -18,8 +18,9 @@
 from typing import Any, Dict, List
 
 mapping_keys = {
-    "activeResponse": "active_response",
+    "adaptiveResponse": "adaptive_response",
     "supportsAdhoc": "supports_adhoc",
+    "supportsCloud": "supports_cloud",
     "drilldownUri": "drilldown_uri",
     "entity": "parameters",
     "defaultValue": "default_value",

diff --git a/splunk_add_on_ucc_framework/global_config_update.py b/splunk_add_on_ucc_framework/global_config_update.py
@@ -70,6 +70,30 @@ def _handle_dropping_api_version_update(
     global_config.update_schema_version("0.0.3")
 
 
+def _handle_alert_action_updates(global_config: global_config_lib.GlobalConfig) -> None:
+    if global_config.has_alerts():
+        updated_alerts = []
+        for alert in global_config.alerts:
+            modified_alert = {}
+            for k, v in alert.items():
+                if k in ["activeResponse", "adaptiveResponse"]:
+                    # set default values for the below properties
+                    v["supportsAdhoc"] = v.get("supportsAdhoc", False)
+                    v["supportsCloud"] = v.get("supportsCloud", True)
+                if k == "activeResponse":
+                    logger.warning(
+                        "'activeResponse' is deprecated. Please use 'adaptiveResponse' instead."
+                    )
+                    modified_alert["adaptiveResponse"] = v
+                else:
+                    modified_alert[k] = v
+
+            # in either case, we create a new list and fill it with updated alerts, if any
+            updated_alerts.append(modified_alert)
+        global_config._content["alerts"] = updated_alerts
+        global_config.dump(global_config.original_path)
+
+
 def handle_global_config_update(global_config: global_config_lib.GlobalConfig) -> None:
     """Handle changes in globalConfig file."""
     current_schema_version = global_config.schema_version
@@ -149,3 +173,5 @@ def handle_global_config_update(global_config: global_config_lib.GlobalConfig) -
         _handle_dropping_api_version_update(global_config)
         global_config.dump(global_config.original_path)
         logger.info("Updated globalConfig schema to version 0.0.3")
+
+    _handle_alert_action_updates(global_config)
diff --git a/splunk_add_on_ucc_framework/schema/schema.json b/splunk_add_on_ucc_framework/schema/schema.json
@@ -83,7 +83,7 @@
           "type": "string",
           "maxLength": 100
         },
-        "activeResponse": {
+        "adaptiveResponse": {
           "type": "object",
           "properties": {
             "task": {
@@ -96,6 +96,9 @@
             "supportsAdhoc": {
               "type": "boolean"
             },
+            "supportsCloud": {
+              "type": "boolean"
+            },
             "subject": {
               "type": "array",
               "items": {
@@ -128,7 +131,6 @@
           },
           "required": [
             "task",
-            "supportsAdhoc",
             "subject",
             "category",
             "technology"

diff --git a/..._global_config_configuration/Splunk_TA_UCCExample/appserver/static/js/build/entry_page.js b/..._global_config_configuration/Splunk_TA_UCCExample/appserver/static/js/build/entry_page.js
diff --git a/...ected_output_global_config_everything/Splunk_TA_UCCExample/README/alert_actions.conf.spec b/...ected_output_global_config_everything/Splunk_TA_UCCExample/README/alert_actions.conf.spec
@@ -1,5 +1,5 @@
 [test_alert]
-param._cam = <json> Active response parameters.
+param._cam = <json> Adaptive Response parameters.
 param.name = <string> Name. It's a required parameter. It's default value is xyz.
 param.all_incidents = <bool> All Incidents.
 param.table_list = <list> Table List.  It's default value is problem.

diff --git a/...put_global_config_everything/Splunk_TA_UCCExample/appserver/static/js/build/entry_page.js b/...put_global_config_everything/Splunk_TA_UCCExample/appserver/static/js/build/entry_page.js
diff --git a/.../expected_output_global_config_everything/Splunk_TA_UCCExample/default/alert_actions.conf b/.../expected_output_global_config_everything/Splunk_TA_UCCExample/default/alert_actions.conf
@@ -1,7 +1,7 @@
 [test_alert]
 label = Test Alert
 description = Description for test Alert Action
-param._cam = {"task": ["Create", "Update"], "subject": ["endpoint"], "category": ["Information Conveyance", "Information Portrayal"], "technology": [{"version": ["1.0.0"], "product": "Test Incident Update", "vendor": "Splunk"}], "supports_adhoc": true, "drilldown_uri": "search?q=search%20index%3D\"_internal\"&earliest=0&latest="}
+param._cam = {"task": ["Create", "Update"], "subject": ["endpoint"], "category": ["Information Conveyance", "Information Portrayal"], "technology": [{"version": ["1.0.0"], "product": "Test Incident Update", "vendor": "Splunk"}], "supports_adhoc": true, "supports_cloud": true, "drilldown_uri": "search?q=search%20index%3D\"_internal\"&earliest=0&latest="}
 python.version = python3
 is_custom = 1
 payload_format = json

diff --git a/...ons/expected_output_global_config_everything/Splunk_TA_UCCExample/default/eventtypes.conf b/...ons/expected_output_global_config_everything/Splunk_TA_UCCExample/default/eventtypes.conf
@@ -1,4 +1,3 @@
+[test_alert_modaction_result]
+search = sourcetype="test:incident"
 
-# Just something
-[UCC_NOT_GENERATED]
-search = index=_internal sourcetype=splunkd
diff --git a/...ed_addons/expected_output_global_config_everything/Splunk_TA_UCCExample/default/tags.conf b/...ed_addons/expected_output_global_config_everything/Splunk_TA_UCCExample/default/tags.conf
@@ -1,4 +1,3 @@
-
-[eventtype=UCC_NOT_GENERATED]
-notalert = enabled
+[eventtype=test_alert_modaction_result]
+modaction_result = enabled
 
diff --git a/tests/testdata/test_addons/package_files_conflict_test/globalConfig.json b/tests/testdata/test_addons/package_files_conflict_test/globalConfig.json
@@ -212,7 +212,7 @@
     "meta": {
         "name": "test_addon",
         "restRoot": "test_addon",
-        "version": "5.41.0R45554b7b",
+        "version": "5.41.0Reda406cf",
         "displayName": "This is my add-on",
         "schemaVersion": "0.0.3",
         "_uccVersion": "5.41.0"

diff --git a/tests/testdata/test_addons/package_global_config_everything/globalConfig.json b/tests/testdata/test_addons/package_global_config_everything/globalConfig.json
@@ -1469,12 +1469,13 @@
             "label": "Test Alert",
             "description": "Description for test Alert Action",
             "iconFileName": "test icon.png",
-            "activeResponse": {
+            "adaptiveResponse": {
                 "task": [
                     "Create",
                     "Update"
                 ],
                 "supportsAdhoc": true,
+                "supportsCloud": true,
                 "subject": [
                     "endpoint"
                 ],
@@ -1579,7 +1580,7 @@
     "meta": {
         "name": "Splunk_TA_UCCExample",
         "restRoot": "splunk_ta_uccexample",
-        "version": "5.41.0R45554b7b",
+        "version": "5.41.0R9c5fbfe0",
         "displayName": "Splunk UCC test Add-on",
         "schemaVersion": "0.0.3",
         "_uccVersion": "5.41.0"

diff --git a/tests/testdata/test_addons/package_global_config_everything/package/default/eventtypes.conf b/tests/testdata/test_addons/package_global_config_everything/package/default/eventtypes.conf
diff --git a/tests/testdata/test_addons/package_global_config_everything/package/default/tags.conf b/tests/testdata/test_addons/package_global_config_everything/package/default/tags.conf
diff --git a/tests/testdata/test_addons/package_global_config_everything_uccignore/globalConfig.json b/tests/testdata/test_addons/package_global_config_everything_uccignore/globalConfig.json
@@ -1318,12 +1318,13 @@
             "label": "Test Alert",
             "description": "Description for test Alert Action",
             "iconFileName": "test icon.png",
-            "activeResponse": {
+            "adaptiveResponse": {
                 "task": [
                     "Create",
                     "Update"
                 ],
                 "supportsAdhoc": true,
+                "supportsCloud": true,
                 "subject": [
                     "endpoint"
                 ],

diff --git a/...ta/test_addons/package_global_config_everything_uccignore/package/default/eventtypes.conf b/...ta/test_addons/package_global_config_everything_uccignore/package/default/eventtypes.conf
diff --git a/...testdata/test_addons/package_global_config_everything_uccignore/package/default/tags.conf b/...testdata/test_addons/package_global_config_everything_uccignore/package/default/tags.conf
diff --git a/tests/testdata/test_addons/package_global_config_multi_input/globalConfig.json b/tests/testdata/test_addons/package_global_config_multi_input/globalConfig.json
@@ -465,7 +465,7 @@
     "meta": {
         "name": "Splunk_TA_UCCExample",
         "restRoot": "splunk_ta_uccexample",
-        "version": "5.41.0R45554b7b",
+        "version": "5.41.0Reda406cf",
         "displayName": "Splunk UCC test Add-on",
         "schemaVersion": "0.0.3",
         "_uccVersion": "5.41.0"

diff --git a/tests/testdata/test_addons/package_global_config_only_one_tab/globalConfig.json b/tests/testdata/test_addons/package_global_config_only_one_tab/globalConfig.json
@@ -36,7 +36,7 @@
     "meta": {
         "name": "Splunk_TA_UCCExample",
         "restRoot": "splunk_ta_uccexample",
-        "version": "5.41.0R45554b7b",
+        "version": "5.41.0Reda406cf",
         "displayName": "Splunk UCC test Add-on",
         "schemaVersion": "0.0.3",
         "_uccVersion": "5.41.0"

diff --git a/tests/unit/commands/modular_alert_builder/test_alert_actions_conf_gen.py b/tests/unit/commands/modular_alert_builder/test_alert_actions_conf_gen.py
@@ -17,7 +17,7 @@ def test_generate_alert_action(tmp_path):
                     "label": "Test Alert",
                     "description": "Description for test Alert Action",
                     "short_name": "test_alert",
-                    "active_response": {
+                    "adaptive_response": {
                         "task": ["Create", "Update"],
                         "subject": ["endpoint"],
                         "category": [
@@ -33,6 +33,7 @@ def test_generate_alert_action(tmp_path):
                         ],
                         "sourcetype": "test:incident",
                         "supports_adhoc": True,
+                        "supports_cloud": True,
                         "drilldown_uri": 'search?q=search%20index%3D"_internal"&earliest=0&latest=',
                     },
                     "parameters": [

diff --git a/tests/unit/commands/modular_alert_builder/test_alert_actions_html_gen.py b/tests/unit/commands/modular_alert_builder/test_alert_actions_html_gen.py
@@ -15,7 +15,7 @@ def test_generate_alert_action(tmp_path):
                     "label": "Test Alert",
                     "description": "Description for test Alert Action",
                     "short_name": "test_alert",
-                    "active_response": {
+                    "adaptive_response": {
                         "task": ["Create", "Update"],
                         "subject": ["endpoint"],
                         "category": [

diff --git a/tests/unit/commands/modular_alert_builder/test_alert_actions_py_gen.py b/tests/unit/commands/modular_alert_builder/test_alert_actions_py_gen.py
@@ -16,7 +16,7 @@ def test_generate_alert_action(tmp_path):
                     "label": "Test Alert",
                     "description": "Description for test Alert Action",
                     "short_name": "test_alert",
-                    "active_response": {
+                    "adaptive_response": {
                         "task": ["Create", "Update"],
                         "subject": ["endpoint"],
                         "category": [

diff --git a/tests/unit/testdata/alert_actions.conf.generated b/tests/unit/testdata/alert_actions.conf.generated
@@ -1,7 +1,7 @@
 [test_alert]
 label = Test Alert
 description = Description for test Alert Action
-param._cam = {"task": ["Create", "Update"], "subject": ["endpoint"], "category": ["Information Conveyance", "Information Portrayal"], "technology": [{"version": ["1.0.0"], "product": "Test Incident Update", "vendor": "Splunk"}], "supports_adhoc": true, "drilldown_uri": "search?q=search%20index%3D\"_internal\"&earliest=0&latest="}
+param._cam = {"task": ["Create", "Update"], "subject": ["endpoint"], "category": ["Information Conveyance", "Information Portrayal"], "technology": [{"version": ["1.0.0"], "product": "Test Incident Update", "vendor": "Splunk"}], "supports_adhoc": true, "supports_cloud": true, "drilldown_uri": "search?q=search%20index%3D\"_internal\"&earliest=0&latest="}
 python.version = python3
 is_custom = 1
 payload_format = json

diff --git a/tests/unit/testdata/alert_actions.conf.spec.generated b/tests/unit/testdata/alert_actions.conf.spec.generated
@@ -1,5 +1,5 @@
 [test_alert]
-param._cam = <json> Active response parameters.
+param._cam = <json> Adaptive Response parameters.
 param.name = <string> Name. It's a required parameter. It's default value is xyz.
 param.all_incidents = <bool> All Incidents.
 param.table_list = <list> Table List.  It's default value is problem.

diff --git a/tests/unit/testdata/valid_config.json b/tests/unit/testdata/valid_config.json
@@ -1200,12 +1200,13 @@
             "name": "test_alert",
             "label": "Test Alert",
             "description": "Description for test Alert Action",
-            "activeResponse": {
+            "adaptiveResponse": {
                 "task": [
                     "Create",
                     "Update"
                 ],
                 "supportsAdhoc": true,
+                "supportsCloud": true,
                 "subject": [
                     "endpoint"
                 ],

diff --git a/tests/unit/testdata/valid_config.yaml b/tests/unit/testdata/valid_config.yaml
@@ -608,11 +608,12 @@ alerts:
 - name: test_alert
   label: Test Alert
   description: Description for test Alert Action
-  activeResponse:
+  adaptiveResponse:
     task:
     - Create
     - Update
     supportsAdhoc: true
+    supportsCloud: true
     subject:
     - endpoint
     category: