Splunk Phantom

ES -> Adaptive Response -> Phantom Playbook -> event_id?

Explorer

I need my Phantom playbook to be able to close a Splunk ES notable event when it's completed, this requires the event_id field which is not included in the artifact when using the adaptive response.

Has anyone found a clever solution?

This is possible when using the Phantom app for Splunk, however we need to pivot and start using the AR

Labels (2)
0 Karma

Splunk Employee
Splunk Employee

Using the notable macro is the correct answer and yet missing a piece or two. We (ProServ) recommend the use of Event Forwarding with the appropriate Phantom Instance configured and working. This will allow you to forward events with global mappings (available in 3.x of the Phantom App for Splunk). Using this model makes it easy to do several things. 1.You won't have to go to every rule and add an adaptive response action, but you will have to either use a tag, label or naming convention in your rules for your Event Forwarding Saved Search to find (like PROD). This configuration when properly deployed will allow you to update a rule and then the appropriate Event Forwarding Search configuration will find the data and forward it to phantom from a search that used the notable macro which has the event_id you are looking for phantom to have to update the notable.

Adaptive Response does not update notable fast enough for splunk to send the data to phantom and thus it's not available. A new integration is on the horizon and this will be a thing of the past. But this is the workaround to push data back to Splunk via a notable update.

Motivator

We changed the CIM that pushes the event to Phantom to add event_id, then in Phantom, the event id is available.

0 Karma

Explorer

Thank you, Can you expand on 'changed the CIM' ?

0 Karma

Motivator

We cloned the Notable event data model and added event_id as a field in the data model. Then in the Phantom app for Splunk, used that data model to select events and passed the event id across to Phantom.

0 Karma

Splunk Employee
Splunk Employee

How can we filter fields when sending the event to phantom from ES, by default, ES will send the all fields of the notable event to phantom, but a lot of them are useless for phantom's investigation. Thank you.

0 Karma

Explorer

Very cool solution, thank you for sharing.

0 Karma

Communicator

You can use notable macro to pull the evnts from Splunk to Phantom. Thus you will get the event_id as artifact.

Explorer

The notable macro doesn't work when it's being called by an adaptive response action.

0 Karma

Path Finder

I can't say that I have tackled this specific scenario before but my first approach in general would be to use the splunk 'run query' action and use the details available to identify the notable and then pull the ID from the results.

0 Karma

Explorer

Thank you phantom_mike, i'm going down that road.

0 Karma