Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update an artifact field?

scorsatto
Explorer
‎11-01-2022 12:12 PM

is there an option to update the value of a specific field within a specific artifact? I was able to update using phantom update_artifact action or with a REST call, but when the field is updated it also delete the other existent fields in that artifact.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scorsatto
Explorer
‎11-07-2022 08:10 AM

Thanks @Dave_Burns and @phanTom. that exact what I did, I've created a new CF that get all the data from the artifact first, after that changes the fields I want and then I can use this CF payload result in the update artifact action. it seems the interface always replace the whole artifact data with whatever you post, this is not very clear on the documentation of the app

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎11-07-2022 07:37 AM

@scorsatto @Dave_Burns I am not sure what version you may be on but the update_artifact action on the Phantom Phantom app does update and doesn't overwrite, unless you tick the box. 

I simply put the JSON of the field I wanted to update in the 'cef_json' field and it updated and didn't overwrite. 

phanTom_2-1667835459241.png

 

phanTom_0-1667835437156.png

phanTom_1-1667835447182.png

Bear in mind if you are trying to add the same CEF field to an existing artifact, it won't work as you would need a new artifact. If you use update artifact to ADD the same field with a different value, then it will overwrite due to the above. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

licroBI_0x1
Explorer
‎02-24-2023 07:16 AM

Hi, saw the answers and they are very close to what I also need but I would additionally want to place new key:value pair under the already existing key.

E.g. Add new key "test" under existing "test_header"

"cef": {
"test_header": {
      "test": "value"

 

0 Karma
Reply
Solved! Jump to solution

Dave_Burns
Path Finder
‎11-07-2022 07:41 AM

@phanTom 

Good to know. When I was trying to do that before, that was back in 4.6.X something. It's been awhile. 

@scorsatto Listen to him! He's got the evidence. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Dave_Burns
Path Finder
‎11-07-2022 07:23 AM

The interfaces only seem to update the entire artifact. 

You could create a custom function where you provide the artifact id, field to change, and new value. 

It fetches the entire artifact first, change the field value, and then "re-save" that artifact. 

That way you have something modular if you need to do it again in the future. 

0 Karma
Reply
Solved! Jump to solution
Solution

scorsatto
Explorer
‎11-07-2022 08:10 AM

Thanks @Dave_Burns and @phanTom. that exact what I did, I've created a new CF that get all the data from the artifact first, after that changes the fields I want and then I can use this CF payload result in the update artifact action. it seems the interface always replace the whole artifact data with whatever you post, this is not very clear on the documentation of the app

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...