Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ThreatConnect SOAR App - How to change Intel Owner on Post Action?

CS_
Path Finder
‎12-22-2022 04:47 AM

Hey all,

Trying this as a hail mary, as opened a support case last week and had no response on it.

We are trying to use the SOAR ThreatConnect App to send Intel (Domains, URLS) to ThreatConnect via a playbook.

From the documentation, there is a function called POST DATA, which allows us to send the data to ThreatConnect.

CS__0-1671712832029.png

Right now if I send a piece of intel, it gets added in under the API key account. But I need to be able to change the Owner. I can do this in a python script easily, but can't figure it out in this App.

The documentation has "attribute_name" and "attribute_value" - which i've tried setting to "owner" and the required owner respectively. But this doesn't work - the app tells me it cannot find the attribute "owner".

The documentation is very lacking here. I can't seem to figure it out.

Any ideas on how I achieve this?

Edit:

error message:

Indicator created/updated, but failed to update the attribute specified. Please ensure the attribute_name is valid, is applicable to the indicator type and attribute_value is valid


I've tried several: "Owner, owner, owner_name, ownerName, etc. etc."

Labels (2)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎01-03-2023 02:13 AM

@CS_ If you are doing so in a script right now then I think your best and quickest option is to update the app?

I assume you already know the required endpoint(s) and data to perform the required update so you should be able to "stitch" it into the existing app?

Hope this helps!

Tom

View solution in original post

0 Karma
Reply
Solved! Jump to solution

CS_
Path Finder
‎01-06-2023 11:24 AM

@phanTomgood to see you still kicking about the Forums! 🙂

Pretty much did what you recommended. I spent a few days figuring out how the app works (Spoiler: Whoever coded it hates other people).

Built a custom version of the app which can now do all that i need and more. Plus side; it was good to flex the app building muscles and keep them in shape lol

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎01-03-2023 02:13 AM

@CS_ If you are doing so in a script right now then I think your best and quickest option is to update the app?

I assume you already know the required endpoint(s) and data to perform the required update so you should be able to "stitch" it into the existing app?

Hope this helps!

Tom

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...