Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk generating multiple artifacts in phantom

emkaxon
New Member
‎09-19-2019 04:32 AM

Hello,

We're facing an issue when events are forwarded from splunk to phantom, multiple artifacts are being generated for each single event

Noting that the configuration is done "by the book", what could be the reason behind that?

0 Karma
Reply

donbinhvn
Engager
‎03-22-2022 02:09 AM

donbinhvn_0-1647940129515.png

Look like new version of Splunk app allow us to group mv to a list. 

0 Karma
Reply

WalshyB
Path Finder
‎10-07-2019 08:04 AM

Hey,

The send to phantom action will extract artifacts from the splunk result for each row present. If you have multi-value fields in the result then it will extract one for each when using the "send to phantom" adaptive response action.

Best practice is to use the event forwarding portion of the Phantom app, monitoring notable and configuring the mapping of cef fields to control which fields are sent to Phantom. This also doesn't create multiple artifacts, you will have one with a string of all the multi-values joined together (which could require playbook actions to separate again)

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎09-23-2019 09:47 AM

Would you clarify how you have things set up? Did you use Phantom App for Splunk and what event forwarding methodology are you using?

A good way to debug would be to disable all the event forwarders and turn them on one at a time to see which input (or inputs) are causing this.

Also, share the search being used to generate the Splunk events that get sent.

0 Karma
Reply

emkaxon
New Member
‎09-25-2019 04:16 AM

We are now forwarding the events manually through the "Send to Phantom" adaptive responsive action. The event received in phantom generated 7 artifacts

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎09-25-2019 09:30 AM

Thank you! So if I follow you, that's the action that occurs on the results of the savedsearch, right? Assuming I'm still with you, share with us how the search is defined?

0 Karma
Reply

emkaxon
New Member
‎09-25-2019 11:05 PM

The search consists of scanning for an ioc from carbon black, and when detected a notable event is generated

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...