Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Phantom: How to run Splunk search and add data to artifact rather than widget

jamolson
Path Finder
‎07-03-2019 09:03 AM

I am able to send data to Phantom and create containers with valid Artifacts but I want to enrich the artifact itself with secondary Splunk searches running from phantom itself using a playbook.

I am also able to create the playbook that runs a search based on artifact fields as variables, but it adds the output to the Splunk Widget.

What I would rather have the original artifact be updated with new fields based on the data that comes back from the "Run Search" action.
Has anyone tried this?

I would even meet half way and say its fine that it makes a whole new artifact with the new data but I would prefer just an update.

0 Karma
Reply

megshyle
New Member
‎01-31-2020 01:48 AM

Still stuck at running a search based on artifact fields as variables. Can you give any hint for that? Thank you.

0 Karma
Reply

jamolson
Path Finder
‎01-31-2020 05:40 AM

Hard to say since I'm not sure exactly where you are stuck. Normally I would use a 'format' block to create the search and use the GUI to pick which artifacts I want and put them in the search logic, then I would call the Splunk App Run Query option and just use the formatted_data.
If you are still having issues I would start a new forum question with more details.

0 Karma
Reply

cblumer_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 01:14 PM

This Custom Function example can be used to have a new Artifact created in the current container with the event data returned from a Splunk query executed in a previous playbook block:

def add_notable_event_Artifact(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('add_notable_event_Artifact() called')
    results_data_1 = phantom.collect2(container=container, datapath=['run_Notable_query:action_result.data'], action_results=results)
    results_item_1_0 = [item[0] for item in results_data_1]

    add_notable_event_Artifact__notable_artifact = None

    ################################################################################
    ## Custom Code Start
    ################################################################################

    # Write your custom code here...
    notable_artifact_json = results_item_1_0[0][0]
    # phantom.debug(notable_artifact_json)

    # Find and replace any JSON Keys which have a "." or "::" in them to have an underscore
    for k, v in notable_artifact_json.iteritems():
        if "." in k or "::" in k or "(" in k or ")" in k:
            new_key = k.replace('.', '_').replace('::', '_').replace('(', '_').replace(')', '_')
            notable_artifact_json[new_key] = notable_artifact_json.pop(k)

    # Add "Notable Event Artifact" to Phantom Event
    success, message, artifact_id = phantom.add_artifact(container=container['id'], 
                                                         raw_data={}, 
                                                         cef_data=notable_artifact_json, 
                                                         label="notable", 
                                                         name="Notable Event Artifact", 
                                                         severity="medium", 
                                                         identifier=None, 
                                                         artifact_type="notable", 
                                                         field_mapping=None, 
                                                         trace=False, 
                                                         run_automation=False)

    # phantom.debug(success)
    # phantom.debug(message)
    # phantom.debug(artifact_id)

    ################################################################################
    ## Custom Code End
    ################################################################################

    phantom.save_run_data(key='add_notable_event_Artifact:notable_artifact', value=json.dumps(add_notable_event_Artifact__notable_artifact))

    return
Reply

jamolson
Path Finder
‎08-29-2019 12:45 PM

Thank you,
I will give this a go.

0 Karma
Reply

sam_splunk
Splunk Employee
Splunk Employee
‎08-26-2019 08:09 PM

Hi Jamolson - We just released a new version of the Phantom app that includes an 'update artifact' command. Version: 2.1.21. Have a look if this'll meet your needs, please.

alt text

0 Karma
Reply

jamolson
Path Finder
‎08-27-2019 08:59 AM

Awesome, I will check this out. Sounds exactly what I was looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top