Alert action no longer working for non admin users after upgrading Splunk to to 8.2.2107

[ehvidal]

Hi Guys,

After Splunk Support upgraded our instance of Splunk Cloud to 8.2.2107, the alert action no longer works for non admin users.

I open a case in Splunk Support and they didn't find any problem in our stack, so they suggested me to reach you guys.

For us it's key to have non admin users (with the msteams_alert_action role, according to https://ta-ms-teams-alert-action.readthedocs.io/en/latest/configuration.html#using-the-alert-action-for-non-admin-users) creating alerts.

Thank you very much for your help with this!

Esteban

[guilhemmarchand]

Hi @ehvidal !

Hum right, so first to be able to use the alert as a non privileged user, as a user you need to have the following capabilities:

• https://ta-ms-teams-alert-action.readthedocs.io/en/latest/configuration.html#using-the-alert-action-for-non-admin-users

So, either:

• These capabilities were somehow removed from the roles you are allowing normally
• Splunk Cloud prevents these capabilities from being affected since your upgrade

I would need to check if there's anything preventing this, however one option you still have is to re-affect in your management process these alerts to a specific service account, such these will inherit from the relevant capabilities.

Guilhem

[ehvidal]

Hi @guilhemmarchand,

Thank you for your fast reply!

It seems like I found the root and the solution of this problem.

I found what it seems to be a new capability that Splunk added to the list of available capabilities for roles: "run_sendalert". I enabled that capability for the role that my non admin user is inheriting and the alerts started to go to Teams again.

Interestingly, this capability is not documented yet in https://docs.splunk.com/Documentation/SplunkCloud/8.2.2109/Security/Rolesandcapabilities

I've confirmed that in version 8.2.3 the capability didn't exist, but I didn't find any note about this change in https://docs.splunk.com/Documentation/SplunkCloud/8.2.2109/ReleaseNotes/NewSplunkCloudFeatures.

Hope this help!

Esteban

[guilhemmarchand]

@ehvidal

Thank you very much for sharing this information, glad you found your way. I will spin up later on a Cloud instance and double check, then I'll update the docs instructions for Cloud customers.

Keeping the issue for reference so far

Thanks

[FrancoisTernois]

Hi @guilhemmarchand, I also have this bug. The msteams_alert_action role and the capability run_sendalert are both added but it still doesn't work. The error I received is : signature="Unable to set log level" Any idea ? Thank you

[guilhemmarchand]

@FrancoisTernois

Do you see more than signature="Unable to set log level" in the logs? Perhaps checkout in splunkd.log too

There should be obvious traces.

Will give it a verification

Guilhem

[FrancoisTernois]

Thank you for your reply. It seems to be a passwords.conf issue again. I solved this by :

• deleting other passwords.conf files
• removing totally TA-ms-teams-alert-action
• redeploy it again It solved both issues (as I could setup proxy password again). Regards, Francois