Splunk Enterprise Security

Phantom: How to run Splunk search and add data to artifact rather than widget

jamolson
Path Finder

I am able to send data to Phantom and create containers with valid Artifacts but I want to enrich the artifact itself with secondary Splunk searches running from phantom itself using a playbook.

I am also able to create the playbook that runs a search based on artifact fields as variables, but it adds the output to the Splunk Widget.

What I would rather have the original artifact be updated with new fields based on the data that comes back from the "Run Search" action.
Has anyone tried this?

I would even meet half way and say its fine that it makes a whole new artifact with the new data but I would prefer just an update.

0 Karma

megshyle
New Member

Still stuck at running a search based on artifact fields as variables. Can you give any hint for that? Thank you.

0 Karma

jamolson
Path Finder

Hard to say since I'm not sure exactly where you are stuck. Normally I would use a 'format' block to create the search and use the GUI to pick which artifacts I want and put them in the search logic, then I would call the Splunk App Run Query option and just use the formatted_data.
If you are still having issues I would start a new forum question with more details.

0 Karma

cblumer_splunk
Splunk Employee
Splunk Employee

This Custom Function example can be used to have a new Artifact created in the current container with the event data returned from a Splunk query executed in a previous playbook block:

def add_notable_event_Artifact(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('add_notable_event_Artifact() called')
    results_data_1 = phantom.collect2(container=container, datapath=['run_Notable_query:action_result.data'], action_results=results)
    results_item_1_0 = [item[0] for item in results_data_1]

    add_notable_event_Artifact__notable_artifact = None

    ################################################################################
    ## Custom Code Start
    ################################################################################

    # Write your custom code here...
    notable_artifact_json = results_item_1_0[0][0]
    # phantom.debug(notable_artifact_json)

    # Find and replace any JSON Keys which have a "." or "::" in them to have an underscore
    for k, v in notable_artifact_json.iteritems():
        if "." in k or "::" in k or "(" in k or ")" in k:
            new_key = k.replace('.', '_').replace('::', '_').replace('(', '_').replace(')', '_')
            notable_artifact_json[new_key] = notable_artifact_json.pop(k)

    # Add "Notable Event Artifact" to Phantom Event
    success, message, artifact_id = phantom.add_artifact(container=container['id'], 
                                                         raw_data={}, 
                                                         cef_data=notable_artifact_json, 
                                                         label="notable", 
                                                         name="Notable Event Artifact", 
                                                         severity="medium", 
                                                         identifier=None, 
                                                         artifact_type="notable", 
                                                         field_mapping=None, 
                                                         trace=False, 
                                                         run_automation=False)

    # phantom.debug(success)
    # phantom.debug(message)
    # phantom.debug(artifact_id)

    ################################################################################
    ## Custom Code End
    ################################################################################

    phantom.save_run_data(key='add_notable_event_Artifact:notable_artifact', value=json.dumps(add_notable_event_Artifact__notable_artifact))

    return

jamolson
Path Finder

Thank you,
I will give this a go.

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

Hi Jamolson - We just released a new version of the Phantom app that includes an 'update artifact' command. Version: 2.1.21. Have a look if this'll meet your needs, please.

alt text

0 Karma

jamolson
Path Finder

Awesome, I will check this out. Sounds exactly what I was looking for.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...