Re: copy an artifact existing in one event into an...

MikeR · ‎01-22-2024

I am working on a playbook where there is a need to copy the current event's artifacts into a separate open and existing case. We are looking for a way to automate this through phantom.collect + phantom.add_artifact or other means. We have a way to pass in the existing case id and need a solution to duplicate atrifacts from running event into that case specified by case id.

MikeR · ‎01-26-2024

@phanTom

We ended up using custom function with phantom.merge() as this fit our needs and was very simple (few lines of code). We also found how to use phantom.collect() to read in everything after some trial and error. Thank you for pointing out the addon app

phanTom · ‎01-22-2024

@MikeR a few ways to achieve this, but simplest is probably to use the Phantom Phantom app with the 'add_artifact' action. This will use phantom.collect() and if you set the container input to the id of the other container it will update it with the provided artifact info provided in the action and should return an id.

copy an artifact existing in one event into an existing case or place event as a "child" of an open case

development

using SOAR ⁄ Phantom

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases