Splunk SOAR (f.k.a. Phantom)

ThreatConnect SOAR App - How to change Intel Owner on Post Action?

CS_
Path Finder

Hey all,

Trying this as a hail mary, as opened a support case last week and had no response on it.

We are trying to use the SOAR ThreatConnect App to send Intel (Domains, URLS) to ThreatConnect via a playbook.

From the documentation, there is a function called POST DATA, which allows us to send the data to ThreatConnect.

CS__0-1671712832029.png

Right now if I send a piece of intel, it gets added in under the API key account. But I need to be able to change the Owner. I can do this in a python script easily, but can't figure it out in this App.

The documentation has "attribute_name" and "attribute_value" - which i've tried setting to "owner" and the required owner respectively. But this doesn't work - the app tells me it cannot find the attribute "owner".

The documentation is very lacking here. I can't seem to figure it out.

Any ideas on how I achieve this?

Edit:

error message:

Indicator created/updated, but failed to update the attribute specified. Please ensure the attribute_name is valid, is applicable to the indicator type and attribute_value is valid


I've tried several: "Owner, owner, owner_name, ownerName, etc. etc."


Labels (2)
Tags (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@CS_ If you are doing so in a script right now then I think your best and quickest option is to update the app?

I assume you already know the required endpoint(s) and data to perform the required update so you should be able to "stitch" it into the existing app?

Hope this helps!

Tom

View solution in original post

0 Karma

CS_
Path Finder

@phanTomgood to see you still kicking about the Forums! 🙂

Pretty much did what you recommended. I spent a few days figuring out how the app works (Spoiler: Whoever coded it hates other people).

Built a custom version of the app which can now do all that i need and more. Plus side; it was good to flex the app building muscles and keep them in shape lol

Thanks!

0 Karma

phanTom
SplunkTrust
SplunkTrust

@CS_ If you are doing so in a script right now then I think your best and quickest option is to update the app?

I assume you already know the required endpoint(s) and data to perform the required update so you should be able to "stitch" it into the existing app?

Hope this helps!

Tom

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...