I need my Phantom playbook to be able to close a Splunk ES notable event when it's completed, this requires the event_id field which is not included in the artifact when using the adaptive response.
Has anyone found a clever solution?
This is possible when using the Phantom app for Splunk, however we need to pivot and start using the AR
Using the notable macro is the correct answer and yet missing a piece or two. We (ProServ) recommend the use of Event Forwarding with the appropriate Phantom Instance configured and working. This will allow you to forward events with global mappings (available in 3.x of the Phantom App for Splunk). Using this model makes it easy to do several things. 1.You won't have to go to every rule and add an adaptive response action, but you will have to either use a tag, label or naming convention in your rules for your Event Forwarding Saved Search to find (like PROD). This configuration when properly deployed will allow you to update a rule and then the appropriate Event Forwarding Search configuration will find the data and forward it to phantom from a search that used the notable macro which has the event_id you are looking for phantom to have to update the notable.
Adaptive Response does not update notable fast enough for splunk to send the data to phantom and thus it's not available. A new integration is on the horizon and this will be a thing of the past. But this is the workaround to push data back to Splunk via a notable update.
We cloned the Notable event data model and added event_id as a field in the data model. Then in the Phantom app for Splunk, used that data model to select events and passed the event id across to Phantom.
How can we filter fields when sending the event to phantom from ES, by default, ES will send the all fields of the notable event to phantom, but a lot of them are useless for phantom's investigation. Thank you.
I can't say that I have tackled this specific scenario before but my first approach in general would be to use the splunk 'run query' action and use the details available to identify the notable and then pull the ID from the results.