I've created an alert in Splunk Enterprise and used the Splunk SOAR / Phantom plugin to call the action "Run a playbook in Splunk SOAR". So far so good. Alert fires, it gets forwarded over to SOAR. SOAR creates a new event and then takes the original event data and creates an artifact with the details. And then changes the tag value and creates another artifact.... and another.... and another.
Only one tag is assigned to each artifact, those being "endpoint", "filesystem", "os", "registry", "security", "success", "track_event_signatures", and "windows".
I can't find any mention of these tags in any place, starting with the original data, to the Splunk enterprise alert config, etc. So I think it's. SOAR adding additional data, but again I'm not sure how or when or why it's doing that. If each tag is necessary is there a way I can force it to add all 8 tags to an array on a single artifact? Please advise.
... View more