Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update an artifact field?

scorsatto
Explorer
‎11-01-2022 12:12 PM

is there an option to update the value of a specific field within a specific artifact? I was able to update using phantom update_artifact action or with a REST call, but when the field is updated it also delete the other existent fields in that artifact.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scorsatto
Explorer
‎11-07-2022 08:10 AM

Thanks @Dave_Burns and @phanTom. that exact what I did, I've created a new CF that get all the data from the artifact first, after that changes the fields I want and then I can use this CF payload result in the update artifact action. it seems the interface always replace the whole artifact data with whatever you post, this is not very clear on the documentation of the app

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎11-07-2022 07:37 AM

@scorsatto @Dave_Burns I am not sure what version you may be on but the update_artifact action on the Phantom Phantom app does update and doesn't overwrite, unless you tick the box. 

I simply put the JSON of the field I wanted to update in the 'cef_json' field and it updated and didn't overwrite. 

phanTom_2-1667835459241.png

 

phanTom_0-1667835437156.png

phanTom_1-1667835447182.png

Bear in mind if you are trying to add the same CEF field to an existing artifact, it won't work as you would need a new artifact. If you use update artifact to ADD the same field with a different value, then it will overwrite due to the above. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

licroBI_0x1
Explorer
‎02-24-2023 07:16 AM

Hi, saw the answers and they are very close to what I also need but I would additionally want to place new key:value pair under the already existing key.

E.g. Add new key "test" under existing "test_header"

"cef": {
"test_header": {
      "test": "value"

 

0 Karma
Reply
Solved! Jump to solution

Dave_Burns
Path Finder
‎11-07-2022 07:41 AM

@phanTom 

Good to know. When I was trying to do that before, that was back in 4.6.X something. It's been awhile. 

@scorsatto Listen to him! He's got the evidence. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Dave_Burns
Path Finder
‎11-07-2022 07:23 AM

The interfaces only seem to update the entire artifact. 

You could create a custom function where you provide the artifact id, field to change, and new value. 

It fetches the entire artifact first, change the field value, and then "re-save" that artifact. 

That way you have something modular if you need to do it again in the future. 

0 Karma
Reply
Solved! Jump to solution
Solution

scorsatto
Explorer
‎11-07-2022 08:10 AM

Thanks @Dave_Burns and @phanTom. that exact what I did, I've created a new CF that get all the data from the artifact first, after that changes the fields I want and then I can use this CF payload result in the update artifact action. it seems the interface always replace the whole artifact data with whatever you post, this is not very clear on the documentation of the app

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...