Splunk SOAR (f.k.a. Phantom)

SOAR / Phantom creating 8 identical artifacts with the exception of tag value- Please advise

joconnor
Explorer

I've created an alert in Splunk Enterprise and used the Splunk SOAR / Phantom plugin to call the action "Run a playbook in Splunk SOAR". So far so good. Alert fires, it gets forwarded over to SOAR. SOAR creates a new event and then takes the original event data and creates an artifact with the details. And then changes the tag value and creates another artifact.... and another.... and another. 

Only one tag is assigned to each artifact, those being "endpoint", "filesystem", "os", "registry", "security", "success", "track_event_signatures", and "windows". 

I can't find any mention of these tags in any place, starting with the original data, to the Splunk enterprise alert config, etc. So I think it's. SOAR adding additional data, but again I'm not sure how or when or why it's doing that. If each tag is necessary is there a way I can force it to add all 8 tags to an array on a single artifact? Please advise.

Labels (1)
0 Karma
1 Solution

joconnor
Explorer

@phanTom Resolved. Discovered it to be a setting in the advanced settings under the Phantom/SOAR App for Splunk config. By default it divides multi-value fields to be created as separate artifacts, but in my case was creating too much redundancy.  Thanks for your time.

View solution in original post

0 Karma

joconnor
Explorer

@phanTom Resolved. Discovered it to be a setting in the advanced settings under the Phantom/SOAR App for Splunk config. By default it divides multi-value fields to be created as separate artifacts, but in my case was creating too much redundancy.  Thanks for your time.

0 Karma

phanTom
SplunkTrust
SplunkTrust

@joconnor what playbook(s) are you running?

The adding of tags is very likely performed by a playbook automation and yes you can add multiple tags but would need to reconfigure the automation to add multiple when it does it now.  

0 Karma

joconnor
Explorer

Right now I'm only calling an empty custom playbook that I created which essentially does nothing at this point. I've modified the on_start() method to use the phantom.collect method to retrieve all artifacts in the container and then output the contents in the debug window. Then it ends.

This is also only happening to the event that uses the alert action "Run Playbook in Phantom". I have other cases of a data model being forwarded and in similar circumstances, for the same event will only create a single artifact.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...