Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Phantom: How to run Splunk search and add data to artifact rather than widget

jamolson
Path Finder
‎07-03-2019 09:03 AM

I am able to send data to Phantom and create containers with valid Artifacts but I want to enrich the artifact itself with secondary Splunk searches running from phantom itself using a playbook.

I am also able to create the playbook that runs a search based on artifact fields as variables, but it adds the output to the Splunk Widget.

What I would rather have the original artifact be updated with new fields based on the data that comes back from the "Run Search" action.
Has anyone tried this?

I would even meet half way and say its fine that it makes a whole new artifact with the new data but I would prefer just an update.

0 Karma
Reply

megshyle
New Member
‎01-31-2020 01:48 AM

Still stuck at running a search based on artifact fields as variables. Can you give any hint for that? Thank you.

0 Karma
Reply

jamolson
Path Finder
‎01-31-2020 05:40 AM

Hard to say since I'm not sure exactly where you are stuck. Normally I would use a 'format' block to create the search and use the GUI to pick which artifacts I want and put them in the search logic, then I would call the Splunk App Run Query option and just use the formatted_data.
If you are still having issues I would start a new forum question with more details.

0 Karma
Reply

cblumer_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 01:14 PM

This Custom Function example can be used to have a new Artifact created in the current container with the event data returned from a Splunk query executed in a previous playbook block:

def add_notable_event_Artifact(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('add_notable_event_Artifact() called')
    results_data_1 = phantom.collect2(container=container, datapath=['run_Notable_query:action_result.data'], action_results=results)
    results_item_1_0 = [item[0] for item in results_data_1]

    add_notable_event_Artifact__notable_artifact = None

    ################################################################################
    ## Custom Code Start
    ################################################################################

    # Write your custom code here...
    notable_artifact_json = results_item_1_0[0][0]
    # phantom.debug(notable_artifact_json)

    # Find and replace any JSON Keys which have a "." or "::" in them to have an underscore
    for k, v in notable_artifact_json.iteritems():
        if "." in k or "::" in k or "(" in k or ")" in k:
            new_key = k.replace('.', '_').replace('::', '_').replace('(', '_').replace(')', '_')
            notable_artifact_json[new_key] = notable_artifact_json.pop(k)

    # Add "Notable Event Artifact" to Phantom Event
    success, message, artifact_id = phantom.add_artifact(container=container['id'], 
                                                         raw_data={}, 
                                                         cef_data=notable_artifact_json, 
                                                         label="notable", 
                                                         name="Notable Event Artifact", 
                                                         severity="medium", 
                                                         identifier=None, 
                                                         artifact_type="notable", 
                                                         field_mapping=None, 
                                                         trace=False, 
                                                         run_automation=False)

    # phantom.debug(success)
    # phantom.debug(message)
    # phantom.debug(artifact_id)

    ################################################################################
    ## Custom Code End
    ################################################################################

    phantom.save_run_data(key='add_notable_event_Artifact:notable_artifact', value=json.dumps(add_notable_event_Artifact__notable_artifact))

    return
Reply

jamolson
Path Finder
‎08-29-2019 12:45 PM

Thank you,
I will give this a go.

0 Karma
Reply

sam_splunk
Splunk Employee
Splunk Employee
‎08-26-2019 08:09 PM

Hi Jamolson - We just released a new version of the Phantom app that includes an 'update artifact' command. Version: 2.1.21. Have a look if this'll meet your needs, please.

alt text

0 Karma
Reply

jamolson
Path Finder
‎08-27-2019 08:59 AM

Awesome, I will check this out. Sounds exactly what I was looking for.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...