Thanks livehybrid,

I was having difficulties finding a unique identifer in the webhook from the finding to my webhook received endpoint.

As for your next suggestion, that's a good one. I started to look into that, then I came across the better webhook addon and now am starting to see if this may be a solution as I can edit the body of the JSON sent out.  I just got side tracked so haven't had a chance to continue yet.  I'll update this thread with whatever solution i end up with but I think your idea will work fairly well.

And to answer your question, the endpoint - its just a fairly simple routine on another machine that will perform an automated powershell task and send the result back as a note to the finding.

I have been running into similar issues for a long time.  I have been trying to send out findings (formally notables) to trigger automations and return them results back.

I have been able to get the data from investigations except for the notes.  I'm looking forward to hear what solution you come up with.

Okay, this solution may not be ideal, but I've spent a bunch of time trying to get this to work and so far it's okay. I just haven't done too many tests yet to see if this will be 100% reliable, I feel like multiple findings in a very short time frame will break this solution and i'll need to figure out something else.

I am no longer relying on the webhook Adaptive Response as I wasn't able to get the information I needed about the finding to be included, even with custom add-ons that provide better options with deciding what goes into the JSON body.

I moved along to triggering Python code which interacts with Splunk first, then sends my information out to my automation platform

The python code does an external query to splunk for key details I wanted about the most recent notable event, that contains the title for the certain types of findings I wanted this task to run with.

This external query passes this information along to my automation platform, along with the variables I needed most importantly the finding's unique identified - source_event_id

Upon completion of the automation task, the results of this task are sent back to splunk via a HTTP POST Request, which places text into the notes section via the finding's source_event_id

Now all along the way there were steps to be taken in terms of generating authentication tokens within splunk, and authenticating both ways with Splunk and my automation platform.  Also dealing with creation of self signed certificates to be installed on both ends, and also installing proper ssh tokens on a third party machine used for powershell queries.

It was quite a bit of work, I'm not even sure I fully could document it all without going through each section. But happy to provide specific details if any of this seems relevant to you and you need more information.

Good Luck!

I would love to say I have a definite solution.  I feel like I may be closer for my scenario, but still hitting a roadblock.  What I found was the built in webhook adaptive response only has a single JSON body template that is sends.  There is no editing the fields that it sends out, and the fields it provides is not sufficient for you to refer back to particular findings if you wish to externally interact with a particular finding.

I found that the better webhook addon is needed if you wish to modify the contents being sent out via webhook.  I haven't looked but perhaps you can export notes via this add on?

My issue now is that I can't seem to export the finding_id or  source_event_id, or any field name that specifically references the finding so I can send my results back.

Are you successfully able to write back to your finding with your automation tool?  And how are you getting the finding id and writing back? Perhaps I'm missing something initially?