Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Phantom: How to run Splunk search and add data to artifact rather than widget

jamolson
Path Finder
‎07-03-2019 09:03 AM

I am able to send data to Phantom and create containers with valid Artifacts but I want to enrich the artifact itself with secondary Splunk searches running from phantom itself using a playbook.

I am also able to create the playbook that runs a search based on artifact fields as variables, but it adds the output to the Splunk Widget.

What I would rather have the original artifact be updated with new fields based on the data that comes back from the "Run Search" action.
Has anyone tried this?

I would even meet half way and say its fine that it makes a whole new artifact with the new data but I would prefer just an update.

0 Karma
Reply

megshyle
New Member
‎01-31-2020 01:48 AM

Still stuck at running a search based on artifact fields as variables. Can you give any hint for that? Thank you.

0 Karma
Reply

jamolson
Path Finder
‎01-31-2020 05:40 AM

Hard to say since I'm not sure exactly where you are stuck. Normally I would use a 'format' block to create the search and use the GUI to pick which artifacts I want and put them in the search logic, then I would call the Splunk App Run Query option and just use the formatted_data.
If you are still having issues I would start a new forum question with more details.

0 Karma
Reply

cblumer_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 01:14 PM

This Custom Function example can be used to have a new Artifact created in the current container with the event data returned from a Splunk query executed in a previous playbook block:

def add_notable_event_Artifact(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('add_notable_event_Artifact() called')
    results_data_1 = phantom.collect2(container=container, datapath=['run_Notable_query:action_result.data'], action_results=results)
    results_item_1_0 = [item[0] for item in results_data_1]

    add_notable_event_Artifact__notable_artifact = None

    ################################################################################
    ## Custom Code Start
    ################################################################################

    # Write your custom code here...
    notable_artifact_json = results_item_1_0[0][0]
    # phantom.debug(notable_artifact_json)

    # Find and replace any JSON Keys which have a "." or "::" in them to have an underscore
    for k, v in notable_artifact_json.iteritems():
        if "." in k or "::" in k or "(" in k or ")" in k:
            new_key = k.replace('.', '_').replace('::', '_').replace('(', '_').replace(')', '_')
            notable_artifact_json[new_key] = notable_artifact_json.pop(k)

    # Add "Notable Event Artifact" to Phantom Event
    success, message, artifact_id = phantom.add_artifact(container=container['id'], 
                                                         raw_data={}, 
                                                         cef_data=notable_artifact_json, 
                                                         label="notable", 
                                                         name="Notable Event Artifact", 
                                                         severity="medium", 
                                                         identifier=None, 
                                                         artifact_type="notable", 
                                                         field_mapping=None, 
                                                         trace=False, 
                                                         run_automation=False)

    # phantom.debug(success)
    # phantom.debug(message)
    # phantom.debug(artifact_id)

    ################################################################################
    ## Custom Code End
    ################################################################################

    phantom.save_run_data(key='add_notable_event_Artifact:notable_artifact', value=json.dumps(add_notable_event_Artifact__notable_artifact))

    return
Reply

jamolson
Path Finder
‎08-29-2019 12:45 PM

Thank you,
I will give this a go.

0 Karma
Reply

sam_splunk
Splunk Employee
Splunk Employee
‎08-26-2019 08:09 PM

Hi Jamolson - We just released a new version of the Phantom app that includes an 'update artifact' command. Version: 2.1.21. Have a look if this'll meet your needs, please.

alt text

0 Karma
Reply

jamolson
Path Finder
‎08-27-2019 08:59 AM

Awesome, I will check this out. Sounds exactly what I was looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...