Splunk SOAR

How to create a custom app from existing app?

Gewch
Engager

Hello,

We currently utilize the Windows Defender ATP v 3.6.0 app in our Splunk SOAR Cloud instance.  I've discovered that the 'run query' action utilizes an outdated advancedqueries api endpoint that does not expose all of the tables available in Advanced Hunting.

I'd like to update the 'run query' action to use the advancedhunting api endpoint that has the proper tables exposed.  I'm familiar with the code and where this needs to be updated, but not on how to create a custom version of this app.

What is the proper way to customize the app and install it in our SOAR cloud?

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@Gewch 

There are a couple of things you can do:

1. In the latest version of SOAR you can simply, clone and then update the app code in the platform IDE and even test it there too. Once ready to test properly you just need to publish the app and it will be usable in playbooks and events.  

2. You can then look to add your changes to the Repo (here) and this will then get shared to splunkbase once it's all been approved/merged!

Hope this helps, 

Happy SOARing!

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@Gewch 

There are a couple of things you can do:

1. In the latest version of SOAR you can simply, clone and then update the app code in the platform IDE and even test it there too. Once ready to test properly you just need to publish the app and it will be usable in playbooks and events.  

2. You can then look to add your changes to the Repo (here) and this will then get shared to splunkbase once it's all been approved/merged!

Hope this helps, 

Happy SOARing!

0 Karma

Gewch
Engager

This is 100% accurate.

Cloning the SOAR app in our Cloud instance created a new v1.0.0 Draft App that I was able to customize.

Thanks @phanTom for the quick and thorough reply!

0 Karma

Roy_9
Motivator

@Gewch In order for this to be splunk cloud compatible, you could use the latest version of splunk add-on builder and go through the app vetting process, once you get all green checks inside the add-on builder, then you need to package the app and open a case to splunk support to install it on your SH/IDM.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...