Splunk Enterprise Security

Phantom: How to run Splunk search and add data to artifact rather than widget

Path Finder

I am able to send data to Phantom and create containers with valid Artifacts but I want to enrich the artifact itself with secondary Splunk searches running from phantom itself using a playbook.

I am also able to create the playbook that runs a search based on artifact fields as variables, but it adds the output to the Splunk Widget.

What I would rather have the original artifact be updated with new fields based on the data that comes back from the "Run Search" action.
Has anyone tried this?

I would even meet half way and say its fine that it makes a whole new artifact with the new data but I would prefer just an update.

0 Karma

New Member

Still stuck at running a search based on artifact fields as variables. Can you give any hint for that? Thank you.

0 Karma

Path Finder

Hard to say since I'm not sure exactly where you are stuck. Normally I would use a 'format' block to create the search and use the GUI to pick which artifacts I want and put them in the search logic, then I would call the Splunk App Run Query option and just use the formatted_data.
If you are still having issues I would start a new forum question with more details.

0 Karma

Splunk Employee
Splunk Employee

This Custom Function example can be used to have a new Artifact created in the current container with the event data returned from a Splunk query executed in a previous playbook block:

def add_notable_event_Artifact(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('add_notable_event_Artifact() called')
    results_data_1 = phantom.collect2(container=container, datapath=['run_Notable_query:action_result.data'], action_results=results)
    results_item_1_0 = [item[0] for item in results_data_1]

    add_notable_event_Artifact__notable_artifact = None

    ################################################################################
    ## Custom Code Start
    ################################################################################

    # Write your custom code here...
    notable_artifact_json = results_item_1_0[0][0]
    # phantom.debug(notable_artifact_json)

    # Find and replace any JSON Keys which have a "." or "::" in them to have an underscore
    for k, v in notable_artifact_json.iteritems():
        if "." in k or "::" in k or "(" in k or ")" in k:
            new_key = k.replace('.', '_').replace('::', '_').replace('(', '_').replace(')', '_')
            notable_artifact_json[new_key] = notable_artifact_json.pop(k)

    # Add "Notable Event Artifact" to Phantom Event
    success, message, artifact_id = phantom.add_artifact(container=container['id'], 
                                                         raw_data={}, 
                                                         cef_data=notable_artifact_json, 
                                                         label="notable", 
                                                         name="Notable Event Artifact", 
                                                         severity="medium", 
                                                         identifier=None, 
                                                         artifact_type="notable", 
                                                         field_mapping=None, 
                                                         trace=False, 
                                                         run_automation=False)

    # phantom.debug(success)
    # phantom.debug(message)
    # phantom.debug(artifact_id)

    ################################################################################
    ## Custom Code End
    ################################################################################

    phantom.save_run_data(key='add_notable_event_Artifact:notable_artifact', value=json.dumps(add_notable_event_Artifact__notable_artifact))

    return

Path Finder

Thank you,
I will give this a go.

0 Karma

Splunk Employee
Splunk Employee

Hi Jamolson - We just released a new version of the Phantom app that includes an 'update artifact' command. Version: 2.1.21. Have a look if this'll meet your needs, please.

alt text

0 Karma

Path Finder

Awesome, I will check this out. Sounds exactly what I was looking for.

0 Karma