SOAR- Splunk Notable push through splunk App soar...

harishlnu

Hi Team,

Could you please help me on below issue.
I am using splunk App soar export for to push notable to Splunk phantom, but it was creating 2 same artifacts in one container, can you guide how can i avoid create multiple artifact in one container

Thanks in advance

marnall

Yeah the app is not great at deduplicating the notables it sends to SOAR. Ideally you would want this app to run a search, find result with some key field X, then create only one container with one artifact containing that result. Subsequent searches in the app will create a new artifact in the same container, but this is unwanted.

One way around this is to set up your generating search so that it appends the results to a whitelist which is used in later executions of the search to remove the results already seen.

E.g. imagine you have a unique field of "id" in your results. You want only one container+artifact per value of "id".

1. Make a lookup containing one "id" column. E.g. search_whitelist.csv

2. Change your search to append and exclude ids:

| <your search>
| search NOT [| inputlookup search_whitelist.csv | table id]
| outputlookup search_whitelist.csv append=true

3. (optional but recommended) - make another search which removes old entries from the search_whitelist.csv if it gets too big. E.g.

| inputlookup search_whitelist.csv
| sort - id
| head 10000
| outputlookup search_whitelist.csv

SOAR- Splunk Notable push through splunk App soar export

development

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?