Splunk SOAR (f.k.a. Phantom)

ES -> Adaptive Response -> Phantom Playbook -> event_id?

GOB_Bluth
Explorer

I need my Phantom playbook to be able to close a Splunk ES notable event when it's completed, this requires the event_id field which is not included in the artifact when using the adaptive response.

Has anyone found a clever solution?

This is possible when using the Phantom app for Splunk, however we need to pivot and start using the AR

Labels (2)
0 Karma

rgresham_splunk
Splunk Employee
Splunk Employee

Using the notable macro is the correct answer and yet missing a piece or two. We (ProServ) recommend the use of Event Forwarding with the appropriate Phantom Instance configured and working. This will allow you to forward events with global mappings (available in 3.x of the Phantom App for Splunk). Using this model makes it easy to do several things. 1.You won't have to go to every rule and add an adaptive response action, but you will have to either use a tag, label or naming convention in your rules for your Event Forwarding Saved Search to find (like PROD). This configuration when properly deployed will allow you to update a rule and then the appropriate Event Forwarding Search configuration will find the data and forward it to phantom from a search that used the notable macro which has the event_id you are looking for phantom to have to update the notable.

Adaptive Response does not update notable fast enough for splunk to send the data to phantom and thus it's not available. A new integration is on the horizon and this will be a thing of the past. But this is the workaround to push data back to Splunk via a notable update.

ashishamalviya1
Explorer

@rgresham_splunk  is this the only solution till date to forward event_id from splunk to phantom, or do we have any other method, we are looking to use Adaptive Response but because of event_id not getting populated in phantom we are not able to utilize this option. Thanking in advance. 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

We changed the CIM that pushes the event to Phantom to add event_id, then in Phantom, the event id is available.

0 Karma

GOB_Bluth
Explorer

Thank you, Can you expand on 'changed the CIM' ?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

We cloned the Notable event data model and added event_id as a field in the data model. Then in the Phantom app for Splunk, used that data model to select events and passed the event id across to Phantom.

0 Karma

rcao_splunk
Splunk Employee
Splunk Employee

How can we filter fields when sending the event to phantom from ES, by default, ES will send the all fields of the notable event to phantom, but a lot of them are useless for phantom's investigation. Thank you.

0 Karma

GOB_Bluth
Explorer

Very cool solution, thank you for sharing.

0 Karma

ansusabu
Communicator

You can use notable macro to pull the evnts from Splunk to Phantom. Thus you will get the event_id as artifact.

GOB_Bluth
Explorer

The notable macro doesn't work when it's being called by an adaptive response action.

0 Karma

phantom_mhike
Path Finder

I can't say that I have tackled this specific scenario before but my first approach in general would be to use the splunk 'run query' action and use the details available to identify the notable and then pull the ID from the results.

0 Karma

GOB_Bluth
Explorer

Thank you phantom_mike, i'm going down that road.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...