Okay, this solution may not be ideal, but I've spent a bunch of time trying to get this to work and so far it's okay. I just haven't done too many tests yet to see if this will be 100% reliable, I feel like multiple findings in a very short time frame will break this solution and i'll need to figure out something else. I am no longer relying on the webhook Adaptive Response as I wasn't able to get the information I needed about the finding to be included, even with custom add-ons that provide better options with deciding what goes into the JSON body. I moved along to triggering Python code which interacts with Splunk first, then sends my information out to my automation platform The python code does an external query to splunk for key details I wanted about the most recent notable event, that contains the title for the certain types of findings I wanted this task to run with. This external query passes this information along to my automation platform, along with the variables I needed most importantly the finding's unique identified - source_event_id Upon completion of the automation task, the results of this task are sent back to splunk via a HTTP POST Request, which places text into the notes section via the finding's source_event_id Now all along the way there were steps to be taken in terms of generating authentication tokens within splunk, and authenticating both ways with Splunk and my automation platform.  Also dealing with creation of self signed certificates to be installed on both ends, and also installing proper ssh tokens on a third party machine used for powershell queries. It was quite a bit of work, I'm not even sure I fully could document it all without going through each section. But happy to provide specific details if any of this seems relevant to you and you need more information. Good Luck! ... View more

I would love to say I have a definite solution.  I feel like I may be closer for my scenario, but still hitting a roadblock.  What I found was the built in webhook adaptive response only has a single JSON body template that is sends.  There is no editing the fields that it sends out, and the fields it provides is not sufficient for you to refer back to particular findings if you wish to externally interact with a particular finding. I found that the better webhook addon is needed if you wish to modify the contents being sent out via webhook.  I haven't looked but perhaps you can export notes via this add on? My issue now is that I can't seem to export the finding_id or  source_event_id, or any field name that specifically references the finding so I can send my results back. Are you successfully able to write back to your finding with your automation tool?  And how are you getting the finding id and writing back? Perhaps I'm missing something initially? ... View more

Thanks livehybrid,   I was having difficulties finding a unique identifer in the webhook from the finding to my webhook received endpoint. As for your next suggestion, that's a good one. I started to look into that, then I came across the better webhook addon and now am starting to see if this may be a solution as I can edit the body of the JSON sent out.  I just got side tracked so haven't had a chance to continue yet.  I'll update this thread with whatever solution i end up with but I think your idea will work fairly well. And to answer your question, the endpoint - its just a fairly simple routine on another machine that will perform an automated powershell task and send the result back as a note to the finding.   ... View more

Thanks so much for the info! The app I was working in was Mission Control, going along with the Video, but your suspicion of ES version is probably spot on.  This video is two years old, and I just upgraded to the latest version recently. This was the video: https://youtu.be/xhfb5Cc11Tg?t=177 I understand what you mean about creating the event from the analyst queue.  I'm just confused about how to add more searched events when performing manual searches.  There is an events tab within the investigation.  What I'm seeing you would go to the Search tab and if you find anything else of interest you should be able to add it along to your investigation created.  Right now the only way I can populate additional searches into this tab, is by using the add events macro, which works fine, but this can cause accidental additions if my SPL catches other entries in my search which I don't want added to the investigation.  Seems like a better way would be to allow me to manually add the event by finding the search myself and telling splunk to add it.     Hope that makes sense?   I did training on the previous version of Splunk for investigations, this newer Mission Control is totally different and appears to lack some of the functionality in the older version? Or perhaps I'm just missing something in terms of workflow for investigations in this version of Splunk ES - I see Response is probably the primary tab to work in, but it feels lacking at the moment.  Probably because everything is defaulted at the moment.         ... View more

Sorry I thought I replied earlier.  There were no major changes made at that time.  The data flowing inbound had made a drastic change, breaking the parsing expressions at that time. I found initially just using built-in json parsing wasn't working properly, but after massaging the data by dropping some leading characters in the data stream, that worked alot better now.  I don't have the particulars to provide at the moment, but this data is parsable without the need to manually specify regex expressions for each field, or create custom field extractions. Thanks for your message! ... View more