Hello,
We currently utilize the Windows Defender ATP v 3.6.0 app in our Splunk SOAR Cloud instance. I've discovered that the 'run query' action utilizes an outdated advancedqueries api endpoint that does not expose all of the tables available in Advanced Hunting.
I'd like to update the 'run query' action to use the advancedhunting api endpoint that has the proper tables exposed. I'm familiar with the code and where this needs to be updated, but not on how to create a custom version of this app.
What is the proper way to customize the app and install it in our SOAR cloud?
There are a couple of things you can do:
1. In the latest version of SOAR you can simply, clone and then update the app code in the platform IDE and even test it there too. Once ready to test properly you just need to publish the app and it will be usable in playbooks and events.
2. You can then look to add your changes to the Repo (here) and this will then get shared to splunkbase once it's all been approved/merged!
Hope this helps,
Happy SOARing!
There are a couple of things you can do:
1. In the latest version of SOAR you can simply, clone and then update the app code in the platform IDE and even test it there too. Once ready to test properly you just need to publish the app and it will be usable in playbooks and events.
2. You can then look to add your changes to the Repo (here) and this will then get shared to splunkbase once it's all been approved/merged!
Hope this helps,
Happy SOARing!
This is 100% accurate.
Cloning the SOAR app in our Cloud instance created a new v1.0.0 Draft App that I was able to customize.
Thanks @phanTom for the quick and thorough reply!
@Gewch In order for this to be splunk cloud compatible, you could use the latest version of splunk add-on builder and go through the app vetting process, once you get all green checks inside the add-on builder, then you need to package the app and open a case to splunk support to install it on your SH/IDM.