Hi, in the ES app, navigate to Security Intelligence -> Threat Intelligence -> Threat Artifacts  Please note that all Threat Intel is being normalised into a joint intel framework. In the sub-tabs you will find the intel relating to the different security domains. Looking at the intel details you will see some of them are from your TAXII feeds... provided the download was successful. Cheers, Oliver ... View more

If the values to store aren't particularly sensitive you may consider them in a custom list. I _believe_ the environment variables are only visible to the App itself, not the playbook executing the app. In other words, I don't believe its possible to have the playbook extract some custom environment variable that's configured within the app settings and then pass it to the app. Instead the App would have to know to use that variable.   ... View more

Thank you for the solution.  ... View more

Hi mzambrana123, Thanks for the candid feedback, but I'm not sure you've understood the question correctly. The problem isn't sending a Notable to Phantom, it's using Phantom to tell ES the Notable should be closed. If you're using latest version of the Splunk app within Phantom (1.3.41 at the time of writing) the action to update a status is broken as it assumes that notables will have an entry in the Incident Review lookup, which isn't true until someone makes a change to the case in ES i.e. assigns it to an analyst, changes, the status, leaves a comment etc.   ... View more