Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading RADAR Alert Action Add-on
SHA256 checksum (radar-alert-action-add-on_12.tgz) 93a6193bb2605dbda9a0bdcff8d00aa7425e35524d19d22a04a2181edc9239fb
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

RADAR Alert Action Add-on

Overview
Details
The RADAR Alert Action Add-on extends the Splunk platform for Operational Intelligence with a pre-packaged way to create incidents in RADAR, the leading breach guidance and notification platform that helps organizations stay compliant with state and federal privacy laws.

RADAR Alert Action Add-on

Introduction

The RADAR Alert Action Add-on allows Splunk to create incidents in RADAR.

Requirements

To use the RADAR Alert Action Add-on, you will need a RADAR API token with Incidents Write scope. You can create a token as a top-level RADAR administrator, or ask your local administrator to provide one for you.

Installation and configuration

To install the RADAR Alert Action Add-on, follow the instructions in the Splunk Add-ons documentation. Once the add-on is installed, perform the following steps:

  1. Sign in to Splunk, click Settings in the top bar, then click Alert Actions.
  2. Click Setup RADAR Alert Action Add-on in the RADAR Alert Action row.
  3. Create a RADAR API token. If you already have a RADAR API token with Incidents Write scope, skip to the next step.
    1. In a separate tab or browser window, sign in to RADAR, go to the My Account page under the user menu in the upper right, then click the API Tokens tab.
    2. Click Add Token, enter a name, then select the Incidents Write check box under Scopes.
    3. Click Submit. Do not navigate away from this generated token page until you complete the next step; otherwise you will need to generate a new token.
  4. Copy the entire token text, and paste it into the RADAR API token field in the RADAR Alert Action configuration screen.
  5. Click Save. If the update is successful, you should see a Splunk success message.

Usage

Create an existing alert with the RADAR alert action

  1. In the Search & Reporting app, run a search for your string.
  2. Confirm that the search results look as you expect.
  3. Click the Save As dropdown link above the right side of the search box, then select Alert from the menu that appears.
  4. Enter a title for your alert, along with a description if desired, and configure the standard alert fields related to permissions, scheduling, and trigger conditions according to your needs.
  5. Under Trigger Actions, click + Add Actions, then select RADAR Alert Action.
  6. Enter the incident name and description that you want RADAR to use when the alert is triggered, then click Save. Your alert will be created, and Splunk will create an incident in RADAR any time it triggers.

Add a RADAR action to an existing alert

  1. In the Search & Reporting app, navigate to the Alerts tab and locate the existing alert.
  2. Click Edit, then select Edit Actions.
  3. Click + Add Actions, then select RADAR Alert Action Add-on.
  4. Enter the incident name and description that you want RADAR to use when the alert is triggered, then click Save. Spunk will now create an incident in RADAR any time the alert triggers.

Advanced usage

Default incident name and description

If you want a different default name or description for an incident, you can change this system-wide setting by manually editing a configuration file and restarting Splunk.

The default values are defined in $SPLUNK_HOME/etc/apps/radar_alert_action/default/alert_actions.conf, but your changes go into the local configuration file that overrides these defaults: $SPLUNK_HOME/etc/apps/radar_alert_action/local/alert_actions.conf.

If this file does not already exist, create it with contents such as the following:

[radar]

param.radar_incident_name = New default name for created incidents
param.radar_incident_description = New default description for created incidents

Important: Overriding default configuration values will affect any existing alerts that used the previous defaults.

SSL certificate verification

The RADAR Alert Action Add-on uses HTTPS to securely communicate with Splunk and RADAR. Typically, a Splunk instance should be configured with an SSL certificate chain signed by a trusted certificate authority. When configured in this manner, HTTPS requests should succeed without additional configuration or intervention.

If you need to run Splunk and the RADAR Alert Action Add-on on a host without a trusted certificate authority chain, you have two options. Both of these are less secure than the recommended default and should only be implemented if you understand the security implications. The options are described in the following sections, although we strongly recommend taking the time to configure your system securely.

See the Splunk documentation about SSL for more on this topic.

Disabling SSL certificate verification

If you experience SSL certificate verification errors, the most straightforward option is to disable certificate verification. Only use this option if absolutely necessary, as disabling verification will remove a layer of security that is important for secure communications.

To disable certificate verification entirely, set the environment variable RADAR_SPLUNK_SKIP_SSL_VERIFY to any value (such as 1) when starting or restarting Splunk. For example:

RADAR_SPLUNK_SKIP_SSL_VERIFY=1 $SPLUNK_HOME/bin/splunk start

or

RADAR_SPLUNK_SKIP_SSL_VERIFY=1 $SPLUNK_HOME/bin/splunk restart

Once this is done, internal HTTPS requests between the RADAR Alert Action Add-on and Splunk will proceed without certificate verification. This should resolve any SSL-related errors that arise when configuring or using the add-on.

Adding the default Splunk certificates to your system's keychain

Splunk provides a set of default certificates that can be used out of the box. The certificates are self-signed, meaning they are not signed by a trusted certificate authority. Although not as secure as trusted certificates, using the default certificates is an option that can be made to work if for some reason you cannot set up a properly secured certificate and do not want to disable verification entirely.

The process of adding certificates will depend on your system and can be troublesome to get right. Here are some tips that may be useful:

  • The default Splunk certificates can be found at $SPLUNK_HOME/etc/auth/cacert.pem
  • Depending on your system, you may need to provide an environment variable to Splunk when starting or restarting to tell Splunk where the certificates can be found. For example, REQUESTS_CA_BUNDLE=$SPLUNK_HOME/etc/auth/cacert.pem splunk start
  • If you continue to experience errors in the browser, check $SPLUNK_HOME/var/log/splunk/splunkd.log for more information. Of course, you can always contact us with any questions and we will do our best to help.

Troubleshooting

Server error when attempting to configure RADAR Alert Action

If you see an error page that displays a 500 Internal Server Error when attempting to access the configuration page for the RADAR Alert Action Add-on, one possible cause is SSL certificate verification failure. You can check
$SPLUNK_HOME/var/log/splunkd.log for diagnostic output to help determine if this is the case. If so, please see the above sections under SSL Certificate Verification for instructions.

If you continue to see 500 errors or other kinds of failure messages in splunkd.log, or are unable to resolve the problem with the instructions in this document, please contact RADAR.

Server error when saving the add-on configuration

When you click Save on the add-on configuration page, the system connects to RADAR to verify the provided API token. If you receive an error, please double-check that your token was set up with the Incidents Write check box selected and that it has been copied and pasted correctly.

Incidents not appearing in RADAR

If expected incidents do not appear in RADAR, check the following to narrow down the problem.

Every attempt to create an incident will be mentioned in $SPLUNK_HOME/var/log/splunkd.log. Check this file to confirm that incident creation is being attempted, keeping an eye out for any errors that may have been logged in case of failure.

It can also be helpful to monitor triggered alerts to confirm whether triggers are happening when expected. You can set this up in Splunk by adding an alert to a list of triggered alerts.

When you add an alert to a list of triggered alerts, you can see records of recently triggered alerts from the Triggered Alerts page or from an Alert Details page. Any alerts that would have created incidents in RADAR will display here.

If you continue to experience issues, please contact RADAR and we will be happy to help.

Support

Please feel free to contact RADAR for assistance with any questions about using the RADAR Alert Action Add-on.

Email: support@radarfirst.com

Phone: 855-733-9888

License

The RADAR Alert Action Add-on is a licensed product of RADAR, Inc.

Release Notes

Version 1.2
Jan. 20, 2017

7
Installs
183
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.