Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting fields from artifact in playbook

chris997
Engager
‎11-16-2023 01:28 PM

Hello! This is probably a simple question but I've been kind of struggling with it. I'm building out my first playbook which triggers off of new artifacts. The artifacts include fields for: type, value, tag. What I'm trying to do is have those fields from the artifact passed directly into a custom code block in my playbook. How do I go about accessing those fields?

I've tried using phantom.collect2(container=container, datapath=["artifact:FIELD_NAME*"]) in the code block but it doesn't return anything. I thought maybe I needed to setup custom fields to define type, value and tag in the custom fields settings, but that didn't change anything either. Any help would be appreciated, thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris997
Engager
‎11-22-2023 08:48 AM

Thanks! I initially tried that call and  wasn't working for me but I ended up realizing it was because I was adding my fields to the "Custom fields" and not the "CEF" settings.

After speaking with the Splunk team it sounds like Custom fields are meant for reference within SOAR, like adding some information into the HUD, whereas CEF is what's actually used to access the artifact data.

I appreciate your reply

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Ar_on88
New Member
‎11-22-2023 08:39 AM

Try this:

phantom.collect2(container=container, datapath=["artifact:*.cef.FIELD_NAME"])
0 Karma
Reply
Solved! Jump to solution
Solution

chris997
Engager
‎11-22-2023 08:48 AM

Thanks! I initially tried that call and  wasn't working for me but I ended up realizing it was because I was adding my fields to the "Custom fields" and not the "CEF" settings.

After speaking with the Splunk team it sounds like Custom fields are meant for reference within SOAR, like adding some information into the HUD, whereas CEF is what's actually used to access the artifact data.

I appreciate your reply

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...