Splunk SOAR (f.k.a. Phantom)

Phantom's builtin Splunk app errors out when updating Notable Events in ES

williamchenyp
Explorer

I just recently completed the Phantom Admin and Playbook Development training and am in the process of using what I've learned to setup Phantom to be the SOAR platform for notable events generated in ES. I'm having problems getting the Update Event action in Phantom's builtin Splunk app to update the status of the ES Notable event after it has been pushed to Phantom as a new container. Here are the description of the use case and the issue:

After experimenting with the various methods of getting Notable Events to Phantom, I've settled on the Event Forwarding option to "push" notable events to Phantom. I'm having problems getting the playbook to update Notable Event status on ES, and I'm wondering if anyone can help me debug this playbook? FYI, for the lab environment, I'm using Splunk 8.0.1, ES 6.1.1, Phantom Add-On 3.0.5 and Phantom Community Edition 4.8.24304; all are the latest versions as of 5/25/20.

My use case for the playbook is as follows:

1 - ES Correlation Search creates notable Events
2 - Phantom Add-On for Splunk's Event Forwarding enabled to forward new notable events to Phantom

  • Because I need to have Phantom update the Notable Events later, the SPL used by Event Forwarding process have the following additional field mappings defined: (Showing the Splunk fields mapped to the custom fields I created in Phantom)

    event_id -> notableEventId
    severity -> notableSeverity
    urgency -> notableUrgency

4 - New containers created in Phantom with the above 3 fields as artifacts

5 - As new containers are created using this method, I want to use a playbook to update the Severity to match the Urgency from the notable event because Event Forwarding hard codes the severity. I also want the playbook to update the original Notable Event with quick comment and change the Notable status to "In Progress". The playbook's flow is as follows:

1 - Filter block #1: artifact:*.cef.notableEventId != blank
2 - Filter block #2: artifact:*.cef.notableUrgency != blank
3 - Decision block with 5 outputs for each of the 5 Notable Urgency values

For each urgency: 
4 - API block to change the container severity to match the Urgency value
5 - Format block to create a comment to the Notable Events
6 - API block calling "update event" action to update the ES Notable event using the following:
         event_ids = artifact:*.cef.notableEventId
         owner = unassigned
         status = in progress
         integer_status = leave blank
         urgency = artifact:*.cef.notableUrgency
         comment = format_1:formatted_data.*

I tested the playbook and the debugger showed all the blocks functioned as expected except the last API block where it returns the following error and a FAILED status:

May 25 2020 19:04:46 GMT-0400 (Eastern Daylight Time): phantom.act(): 'update_event_2' cannot be run on asset 'splunkmjp'. The "update event" action requires the following parameters: event_ids. The given parameters look like they were automatically generated by phantom.act() because an empty parameters list was passed to phantom.act(). The parameters list may have been empty because the preceding call to phantom.collect2() returned an empty list. Check your calling code in the action that generated this error

This looks like the Splunk API block is missing the event_ids field, but the playbook's supposed to feed the value from the collection's artifact:*.cef.notableEventId field. I know that field's populated because there's a filter block that verifies that this field is populated. Debugger also confirmed that the filter condition is valid with the following 2 lines:

Mon May 25 2020 19:04:46 GMT-0400 (Eastern Daylight Time): phantom.condition(): condition loop: condition 1, 'A1846671-F6A2-41EC-B0F9-E138A5837C00@@notable@@31ed12911128e0f233ba2bea38f4d3a8' '!=' '' => result:True
Mon May 25 2020 19:04:46 GMT-0400 (Eastern Daylight Time): phantom.condition(): returned 1 filtered artifacts AND 0 filtered action results

What am I missing that's preventing the Update Event action to work? Any suggestions or tips would be greatly appreciated! Thanks in advance.

In case you want to ask "why am I even bother with this use ease". This answer is that this is my interpretation of the Splunk ES and Phantom integration. I want to be able to use Phantom to collect evidence, conduct additional searches and close the incident or case. Then at the same time synchronize the incident status and owner with the associated Notable Event in ES. I'm experimenting using playbook to do the updates in ES to learn about playbook design.

Labels (3)
Tags (1)
0 Karma
1 Solution

williamchenyp
Explorer

I reached out to my SE and he helped figuring out that the issue was NOT the event_ids that the error messages kept referencing. We pretty dissected the playbook and turned out the issue was the variable I used for the "Comments" field for the "update event" action. The issue was in the update event's Comments field. I used format_1:formatted_data.*, which contains a formatted string containing some text mixed with some field values. The correct one to use is format_1:formatted_data (without the asterisk at the end).

Reason I did that was that I recalled from either the Admin or Playbook Dev class where the training said to always use the one that ends with the asterisk. I didn't think anything of it and turned out there's a HUGE difference with one vs. the other.

So a huge thanks to Tim Strack. Sorry, but I don't know your Splunk account to @ you to give you the proper credit...

Cheers!

-w

View solution in original post

0 Karma

williamchenyp
Explorer

I reached out to my SE and he helped figuring out that the issue was NOT the event_ids that the error messages kept referencing. We pretty dissected the playbook and turned out the issue was the variable I used for the "Comments" field for the "update event" action. The issue was in the update event's Comments field. I used format_1:formatted_data.*, which contains a formatted string containing some text mixed with some field values. The correct one to use is format_1:formatted_data (without the asterisk at the end).

Reason I did that was that I recalled from either the Admin or Playbook Dev class where the training said to always use the one that ends with the asterisk. I didn't think anything of it and turned out there's a HUGE difference with one vs. the other.

So a huge thanks to Tim Strack. Sorry, but I don't know your Splunk account to @ you to give you the proper credit...

Cheers!

-w

0 Karma

sensitive-thug
Splunk Employee
Splunk Employee

Thank you for asking a question @williamchenyp,

If you were able to solve your question, please click “Accept” directly below the answer to resolve the post.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...