topic can't add artifact field with message parameter in Splunk SOAR

can't add artifact field with message parameter

meshorer — Thu, 14 Mar 2024 08:56:08 GMT

hello all!

I am trying to add field to an artifact with "update artifact" action (phantom app).

i am trying to add a 'message parameter' in the 'value' at the cef_json field:

for example:

{"new_field": {0}}

but unfortunately I get "key_error" and the action failed.

how can I solve it?

Re: can't add artifact field with message parameter

phanTom — Thu, 14 Mar 2024 09:05:46 GMT

@meshorer when using the format input or format block for JSON you need to use double { & } and encase the value in " such as the below (which I just tested):

{{"new_field": "{0}"}}

Note that you don't need to double the {&} on the {0} as it's a replacement element but the actual JSON elements will need escaping in this way, even if you had nested JSON like the below:

{{"new_field": {{"sub_field": "{0}"}}}}

-- Hope this helps! If so please mark as a solution for future SOARers. Happy SOARing! --

Re: can't add artifact field with message parameter

meshorer — Thu, 14 Mar 2024 09:19:07 GMT

@phanTom thak you so much!

could you also tell me how to add two fields in the same action?

Re: can't add artifact field with message parameter

phanTom — Thu, 14 Mar 2024 09:22:49 GMT

@meshorer just add more keys & values to the JSON string 😁

{{"new_field1": "{0}", "new_field2": "{1}"}}

Re: can't add artifact field with message parameter

meshorer — Thu, 14 Mar 2024 09:25:53 GMT

@phanTom yeah I got confused with the escaped "{} ".

you are the best!