Splunk SOAR

SOAR Custom Function - check_cached_data- Does anyone know the status of Ian Forrest's Custom Function?

mark_wymer
Path Finder

Hi everyone,

I just watched an excellent demo / tutorial ( https://my.phantom.us/video/78/ ) by someone called Ian Forrest. During the video ( at about 45 minutes ) he demo's an excellent Custom Function that looks in the cached SOAR internals for the cached results from previous executions of a specific app/action.

He did mention that this was a 'work in progress' and I can't find this CF in Community Hub nor on Github anywhere. 

Does anyone know what the status of his Custom Function is?

Cheers,
Mark.

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@mark_wymer hope you are well?! 

I was lucky enough to be on one of the calls and managed to get the CF off Ian at the time. It's still python 2.7 so may need a tweak but should give you an idea of the logic anyway. 

Unfortunately I can't seem to attach .tgz so I have pinged you a direct message for your email so I can send it to you. 

I would also say that I hope this capability will be available in future releases as a "baked in" capability but no idea if/when so in the mean time take a look and see if you can use the attached.

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@mark_wymer hope you are well?! 

I was lucky enough to be on one of the calls and managed to get the CF off Ian at the time. It's still python 2.7 so may need a tweak but should give you an idea of the logic anyway. 

Unfortunately I can't seem to attach .tgz so I have pinged you a direct message for your email so I can send it to you. 

I would also say that I hope this capability will be available in future releases as a "baked in" capability but no idea if/when so in the mean time take a look and see if you can use the attached.

0 Karma

mark_wymer
Path Finder

Thanks for getting back to me Tom. I've dropped you a PM in return.

Cheers,
Mark.

0 Karma

adriaanvermaak
Observer

Hi There,

 

would you be able to share this custom function ? 

In need of utilising this function to stop re-checking previous actions.

Much appreciated

 

Adriaan

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...