ATP Splunk App Adaptive Response failing

book

Article ID: 170370

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

After setting up the the ATP Splunk app, incidents are being received from ATP, but whenever an action (delete, check status) gets issues in the Splunk logs the status FAILED is returned.

When checking ATP - ACTION MANAGER, we do not see any of the issued commands.

[[email protected] splunk]$ sudo cat symantec_atp_delete_file_action_modalert.log
2017-10-24 08:01:00,055 INFO sendmodaction - signature="'NoneType' object has no attribute 'split'" action_name="symantec_atp_delete_file_action" sid="1508832055.19138" orig_sid="scheduler__admin_REEtRVNTLUVuZHBvaW50UHJvdGVjdGlvbg__RMD5b724f516e153e84b_at_1507838400_41814" rid="0" orig_rid="0" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" action_status="failure"
2017-10-24 08:01:00,055 CRITICAL sendmodaction - signature="'NoneType' object has no attribute 'split'" action_name="symantec_atp_delete_file_action" sid="1508832055.19138" orig_sid="scheduler__admin_REEtRVNTLUVuZHBvaW50UHJvdGVjdGlvbg__RMD5b724f516e153e84b_at_1507838400_41814" rid="0" orig_rid="0" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" action_status="failure"
2017-10-24 08:59:14,105 INFO sendmodaction - signature="'NoneType' object has no attribute 'split'" action_name="symantec_atp_delete_file_action" sid="1508835550.20" orig_sid="scheduler__admin_REEtRVNTLUVuZHBvaW50UHJvdGVjdGlvbg__RMD5b724f516e153e84b_at_1507838400_41814" rid="0" orig_rid="0" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" action_status="failure"
 

Cause

The password (if format of client_id:client_secret) needed to be also configured on the SPLUNK search head.

Environment

SEPM 14 MP2
ATP 2.3
Splunk 
(Clustered - with separate Search head and Splunk forwarder)

Resolution

In all-in-one Splunk config it is enough to configure:

- Incident Data collection and Adaptive response on the search head.

In clustered environment:

- Incident data collection only needs to be CHECKED on Splunk FORWARDER (Unchecked on the search head)
-  but the PASSWORD needs to be configured in both Splunk FORWARDER and SEARCH HEAD, for you to be able to use adaptive response.

If unsure please go trough the illustrated stapes in attached guide PAGE 10 - "Setting up Symantec ATP Incident retrieval via OAuth"

Attachments

Splunk ATP App Administrator Guide v1.0.5 (1).pdf get_app