Splunk SOAR

Schedule/PreviewWindow configure on Splunk for Phantom App

rsantoso_splunk
Splunk Employee
Splunk Employee

[ Splunk deployment/architecture ]

Splunk Enterprise: 7.2.0 / Standalone / CentOS 7.4
Phantom App for Splunk:2.6.22 https://splunkbase.splunk.com/app/3411/
Phantom : v4.2

[ Background ]

We are testing Phantom App for Splunk to send the event from Splunk to Phantom. The roles of "Schedule" and "Preview Window" are unclear. Nothing is any description on the Splunkbase page. We were not able to understand the design of "Schedule" and "Preview Window" through our test. If our observation is true along the app design, it can affect the search result and the topology design. So, we would like to clarify what are expected actions in Phantom app.

[ Issue description ]

We configured Saved Search Export in Event Forwarding. Here are our observation from our test. As a result, we do not understand what is the right behavior of this app.
- When configuring Schedule: Every {n} Minutes, the saved search runs every {n} minutes.
- When configuring Schedule: Every {n} Minutes, the time range of the saved search is from {n}*2 minutes to the latest.
- When configuring Schedule: Real Time, several searches were created with various time range.
- "PreviewWindows" does not work even though we configured Every {n} Minute or Real Time on Schedule.

[ Questions ]

Q1. What do the following parameters configure?
- Schedule : Real Time
- Schedule : Every {n} Minutes
- PreviewWindow

Q2. What should we configure when we want to search for last 1 hour every 5 minutes?

Labels (2)
Tags (1)
0 Karma
1 Solution

rsantoso_splunk
Splunk Employee
Splunk Employee

The Schedule parameter and the Preview Window are two separate things.

The Schedule parameter is associated with the repeatable event forwarding. It is applied when you click “Save and Close”.
The Preview Window parameter is associated with the one time preview event forwarding. It is applied when you click “Save and Preview”.

The Schedule parameter and Preview window is not dependent one to the other.

The Schedule parameter has the recurring window where you can put “n” Minutes. The Time range is hard coded to “n*2”.
The Preview Window parameter has the one time preview window where you put 5 mins, 1 hour, 1 day, All Time. The Time range is the selected value (5 mins, 1 hour, 1 day, All Time) and when you click “Save and Preview”.

Now you can modify the Schedule parameter time range by clicking on the associated configuration with Edit Advance of the alert.
Under Edit Advance you will find the parameter dispatch.earliest_time. This value will be 2*n. You can modify this to other value and save it.

Please note that if you edit associated alert and make changes, say after you modify the dispatch.earliest_time, then you modify again the schedule time. Then, the value dispatch.earliest_time value is back to 2*n.

Thus, to configure the search for last 1 hour every 5 minutes:
In the Schedule Parameter enter 5 minutes.
Go to edit advance, change the parameter dispatch.earliest_time value from 10 minutes to 60 minutes.
The Preview Window has not affect for “save and close” button. Thus whatever value selected wouldn’t have any affect.

View solution in original post

0 Karma

rsantoso_splunk
Splunk Employee
Splunk Employee

The Schedule parameter and the Preview Window are two separate things.

The Schedule parameter is associated with the repeatable event forwarding. It is applied when you click “Save and Close”.
The Preview Window parameter is associated with the one time preview event forwarding. It is applied when you click “Save and Preview”.

The Schedule parameter and Preview window is not dependent one to the other.

The Schedule parameter has the recurring window where you can put “n” Minutes. The Time range is hard coded to “n*2”.
The Preview Window parameter has the one time preview window where you put 5 mins, 1 hour, 1 day, All Time. The Time range is the selected value (5 mins, 1 hour, 1 day, All Time) and when you click “Save and Preview”.

Now you can modify the Schedule parameter time range by clicking on the associated configuration with Edit Advance of the alert.
Under Edit Advance you will find the parameter dispatch.earliest_time. This value will be 2*n. You can modify this to other value and save it.

Please note that if you edit associated alert and make changes, say after you modify the dispatch.earliest_time, then you modify again the schedule time. Then, the value dispatch.earliest_time value is back to 2*n.

Thus, to configure the search for last 1 hour every 5 minutes:
In the Schedule Parameter enter 5 minutes.
Go to edit advance, change the parameter dispatch.earliest_time value from 10 minutes to 60 minutes.
The Preview Window has not affect for “save and close” button. Thus whatever value selected wouldn’t have any affect.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...