Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About zksvc
zksvc
Communicator
Member since:
07-12-2024
Sunday
Community Statistics
| Posts | 85 |
| Solutions | 7 |
| Karma Given | 19 |
| Karma Received | 6 |
| Member Since | 07-12-2024 |
Activity Feed
- Got Karma for Why drilldown using all-time in Enterprise Security Incident Review. yesterday
- Got Karma for Re: Why drilldown using all-time in Enterprise Security Incident Review. yesterday
- Posted Re: Send to SOAR Failure from Mission Control on Splunk SOAR. a week ago
- Posted Re: Send to SOAR Failure from Mission Control on Splunk SOAR. a week ago
- Posted Re: Why drilldown using all-time in Enterprise Security Incident Review on Deployment Architecture. a week ago
- Posted Send to SOAR Failure from Mission Control on Splunk SOAR. a week ago
- Posted Re: Failed Create Component SplunkUI Yarn Setup on Getting Data In. 3 weeks ago
- Karma Re: Failed Create Component SplunkUI Yarn Setup for livehybrid. 3 weeks ago
- Posted Re: SplunkUI Start but cannot open in browser on Getting Data In. 3 weeks ago
- Posted SplunkUI Start but cannot open in browser on Getting Data In. 3 weeks ago
- Posted Re: Failed Create Component SplunkUI Yarn Setup on Getting Data In. 3 weeks ago
- Posted Re: Failed Create Component SplunkUI Yarn Setup on Getting Data In. 3 weeks ago
- Posted Re: Failed Create Component SplunkUI Yarn Setup on Getting Data In. 3 weeks ago
- Posted Re: Failed Create Component SplunkUI Yarn Setup on Getting Data In. 3 weeks ago
- Posted Failed Create Component SplunkUI Yarn Setup on Getting Data In. 3 weeks ago
- Posted Re: Error Ingest Data AWS Cloudtrail "error=Traceback (most recent call last):" on Deployment Architecture. 3 weeks ago
- Posted Re: Error Ingest Data AWS Cloudtrail "error=Traceback (most recent call last):" on Deployment Architecture. 3 weeks ago
- Karma Re: Error Ingest Data AWS Cloudtrail "error=Traceback (most recent call last):" for livehybrid. 3 weeks ago
- Posted Error Ingest Data AWS Cloudtrail "error=Traceback (most recent call last):" on Deployment Architecture. 3 weeks ago
- Posted Re: Splunk SOAR Supplies status invalid in result on Splunk SOAR. 05-30-2025 02:56 AM
a week ago
Hi @LAME-Creations When I send an event to SOAR manually, I get a difference such as user=admin and mode=adhoc. Whereas if I wait for adaptive response from mission control, it is mode=saved and user=machinename.
... View more
a week ago
Hi @LAME-Creations Thank you for the explanation, but when I tried to send the manual to SOAR, everything went well. Because I feel that the problem is not there, approximately which part should I check again ?
... View more
a week ago
Hi Everyone, I am experiencing an error when sending events from Mission Control to Splunk SOAR. I always get a failure when the send to SOAR action is automatically triggered through Adaptive Response. Before I automated it, I tried to send event data from Mission Control to SOAR manually by clicking the three dots and then selecting 'Run Adaptive Response Actions' and everything went smoothly. Has anyone ever experienced a similar problem? Danke, Zake
... View more
Labels
3 weeks ago
After further investigation, the file created from SplunkUI is located in the /etc/apps directory and must be moved to /opt/splunk/etc/apps/ so that it can be accessed from the Splunk browser.
... View more
3 weeks ago
Hi Everyone, I am trying to install SplunkUI to explore it, the documentation I followed is from the following link https://splunkui.splunk.com/Packages/create/CreatingSplunkApps And when I reached the 'yarn start' stage, everything went smoothly. However, when I restarted Splunk to see the results, I couldn't see any changes from before. Does anyone know about this issue?
... View more
3 weeks ago
Fix the yarn version, install yarn correctly sudo npm install -g yarn@1.22.19
... View more
3 weeks ago
My bad, the solution is insatll yarn correctly. my yarn is wrong installation
... View more
3 weeks ago
Hi @livehybrid Thanks for your reply, when i try to type "yarn run setup" i got error like this. What yarn version you use btw ?
... View more
3 weeks ago
Hi Everyone, I encountered an issue while creating a new component for SplunkUI. I have followed the documentation tutorial https://splunkui.splunk.com/Packages/create/CreatingSplunkApps as well as the writings from others here https://blog.scrt.ch/2023/01/03/getting-started-with-splunkui/ but I am facing an error as shown in the image below. My Setup : node -v v18.19.1 npm -v 9.2.0 npx yarn -v 1.22.22
... View more
3 weeks ago
Hi @livehybrid I have changed the interval to 600 seconds, but the data is still not available. Is there any other solution that you know?
... View more
3 weeks ago
Thanks for your reply, I will try to change the interval time to 600 seconds first.
... View more
3 weeks ago
Hi Everyone, I encountered an error while ingesting sourcetype=aws:cloudtrails in AWS Apps. I attempted to ingest data from the following sources: aws:waflogs, aws:network-firewall-log, aws:cloudtrails, aws:securityhub-log-group. However, upon checking, only aws:waflogs and aws:network-firewall-log were ingested. Attached below are the errors from the logs. Also i screenshot inputs config from the apps side here : Last i show you the proof if i only received that 2 sourctypes here : If you have any experience from this issue, please give me the answer. Danke, Zake
... View more
Labels
- Labels:
-
heavy forwarder
-
indexer
-
search head
05-30-2025
02:56 AM
My bad, i was type it hardcode and typo in Capital. it worked if i change it to all lowercase
... View more
05-27-2025
02:25 AM
When importing playbooks from the Splunk Research repository https://research.splunk.com/playbooks/ the imported playbooks appear with "Input" status and cannot be activated through the standard interface. Additionally, attempts to delete these inactive playbooks result in errors or incomplete deletion processes. Question is : 1. Is there a best way to import and activate it? (However, it still needs configuration like an API) 2. Why can't I delete this from the playbook list even though I have logged in with an admin privilege account ?
... View more
Labels
05-23-2025
03:02 AM
I don't have any trouble in the first update event, the trouble only in the second. in the first status can be changed perfectly also the comment is fine.
... View more
05-23-2025
01:20 AM
Hi Everyone, I encountered an error in UBA, specifically related to the 'caspida-outputconnector'. While the issue can be resolved by restarting UBA, I would like to understand the root cause. I have already reviewed the configuration file at '/etc/caspida/local/conf/uba-site.properties' and confirmed that everything appears to be correct. I have also tested the HEC token, and it is functioning properly. Does anyone have experience or guidance on how to troubleshoot and identify the root cause of this issue?
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
05-23-2025
12:39 AM
It's because VirusTotal version, all is good after i change to VirusTotalV3
... View more
05-23-2025
12:20 AM
Hi i want create simple playbook to detect data from Incident Response it can send to SOAR to automate analyze like Virustotal. I just want VirusTotal to analyze it and write the result in comment and with status "In Progress" or "Pending" i SS the flow and i think it very possible. but i got confused error "The supplied status is invalid" Also here my python sourcecode """
"""
import phantom.rules as phantom
import json
from datetime import datetime, timedelta
@phantom.playbook_block()
def on_start(container):
phantom.debug('on_start() called')
# call 'update_event_1' block
update_event_1(container=container)
return
@phantom.playbook_block()
def update_event_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("update_event_1() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.event_id","artifact:*.id"])
parameters = []
# build parameters list for 'update_event_1' call
for container_artifact_item in container_artifact_data:
if container_artifact_item[0] is not None:
parameters.append({
"status": "in progress",
"comment": "Tahap analisa via SOAR",
"event_ids": container_artifact_item[0],
"context": {'artifact_id': container_artifact_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("update event", parameters=parameters, name="update_event_1", assets=["soar_es"], callback=ip_reputation_1)
return
@phantom.playbook_block()
def ip_reputation_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("ip_reputation_1() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.src","artifact:*.id"])
parameters = []
# build parameters list for 'ip_reputation_1' call
for container_artifact_item in container_artifact_data:
if container_artifact_item[0] is not None:
parameters.append({
"ip": container_artifact_item[0],
"context": {'artifact_id': container_artifact_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("ip reputation", parameters=parameters, name="ip_reputation_1", assets=["virtotv3-trialzake"], callback=decision_1)
return
@phantom.playbook_block()
def decision_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("decision_1() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
["ip_reputation_1:action_result.summary.malicious", ">", 0]
],
delimiter=None)
# call connected blocks if condition 1 matched
if found_match_1:
update_event_2(action=action, success=success, container=container, results=results, handle=handle)
return
# check for 'else' condition 2
update_event_3(action=action, success=success, container=container, results=results, handle=handle)
return
@phantom.playbook_block()
def update_event_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("update_event_2() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
comment_formatted_string = phantom.format(
container=container,
template="""Information from SOAR : \nSource : {0}\nHarmles : {1} \nMalicious : {2}""",
parameters=[
"ip_reputation_1:action_result.data.*.attributes.crowdsourced_context.*.source",
"ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.harmless",
"ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.malicious"
])
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.event_id","artifact:*.id"])
ip_reputation_1_result_data = phantom.collect2(container=container, datapath=["ip_reputation_1:action_result.data.*.attributes.crowdsourced_context.*.source","ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.harmless","ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.malicious","ip_reputation_1:action_result.parameter.context.artifact_id"], action_results=results)
parameters = []
# build parameters list for 'update_event_2' call
for container_artifact_item in container_artifact_data:
for ip_reputation_1_result_item in ip_reputation_1_result_data:
if container_artifact_item[0] is not None:
parameters.append({
"event_ids": container_artifact_item[0],
"status": "Pending",
"comment": comment_formatted_string,
"context": {'artifact_id': ip_reputation_1_result_item[3]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("update event", parameters=parameters, name="update_event_2", assets=["soar_es"])
return
@phantom.playbook_block()
def lookup_ip_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("lookup_ip_1() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.src","artifact:*.id"])
parameters = []
# build parameters list for 'lookup_ip_1' call
for container_artifact_item in container_artifact_data:
if container_artifact_item[0] is not None:
parameters.append({
"days": 10,
"ip": container_artifact_item[0],
"context": {'artifact_id': container_artifact_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("lookup ip", parameters=parameters, name="lookup_ip_1", assets=["abuseipdb"])
return
@phantom.playbook_block()
def format_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("format_1() called")
template = """Detail : {0}\nSeverity : {1}\nSource : {2}\nHarmles : {3}\nMalicious : {4}\n"""
# parameter list for template variable replacement
parameters = [
"ip_reputation_1:action_result.data.*.attributes.crowdsourced_context.*.detail",
"ip_reputation_1:action_result.data.*.attributes.crowdsourced_context.*.severity",
"ip_reputation_1:action_result.data.*.attributes.crowdsourced_context.*.source",
"ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.harmless",
"ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.malicious"
]
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.format(container=container, template=template, parameters=parameters, name="format_1")
return
@phantom.playbook_block()
def update_event_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("update_event_3() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.event_id","artifact:*.id"])
parameters = []
# build parameters list for 'update_event_3' call
for container_artifact_item in container_artifact_data:
if container_artifact_item[0] is not None:
parameters.append({
"event_ids": container_artifact_item[0],
"status": "Pending",
"comment": "Safe from Virus Total",
"context": {'artifact_id': container_artifact_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("update event", parameters=parameters, name="update_event_3", assets=["soar_es"])
return
@phantom.playbook_block()
def on_finish(container, summary):
phantom.debug("on_finish() called")
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
return
... View more
Labels
- Labels:
-
configuration
-
using SOAR ⁄ Phantom
05-22-2025
02:53 AM
What i want is from ES if it send to SOAR it will detect src IP then get information from VIrustotal, if it malicious it will write a note "Malicious from VirusTotal" and change the status to "Pending" to make sure monitoring team will double check it. i share screenshot for playbook Also here the code """
"""
import phantom.rules as phantom
import json
from datetime import datetime, timedelta
@phantom.playbook_block()
def on_start(container):
phantom.debug('on_start() called')
# call 'update_event_1' block
update_event_1(container=container)
return
@phantom.playbook_block()
def update_event_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("update_event_1() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.event_id","artifact:*.id"])
parameters = []
# build parameters list for 'update_event_1' call
for container_artifact_item in container_artifact_data:
if container_artifact_item[0] is not None:
parameters.append({
"status": "in progress",
"comment": "tahap analisa via SOAR",
"event_ids": container_artifact_item[0],
"context": {'artifact_id': container_artifact_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("update event", parameters=parameters, name="update_event_1", assets=["soar_es"], callback=ip_reputation_1)
return
@phantom.playbook_block()
def ip_reputation_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("ip_reputation_1() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.src","artifact:*.id"])
parameters = []
# build parameters list for 'ip_reputation_1' call
for container_artifact_item in container_artifact_data:
if container_artifact_item[0] is not None:
parameters.append({
"ip": container_artifact_item[0],
"context": {'artifact_id': container_artifact_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("ip reputation", parameters=parameters, name="ip_reputation_1", assets=["virustotalv3"], callback=decision_1)
return
@phantom.playbook_block()
def decision_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("decision_1() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
["ip_reputation_1:action_result.data.*.detected_communicating_samples.*.positives", ">", 0]
],
delimiter=None)
# call connected blocks if condition 1 matched
if found_match_1:
update_event_2(action=action, success=success, container=container, results=results, handle=handle)
return
return
@phantom.playbook_block()
def update_event_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("update_event_2() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
update_event_1_result_data = phantom.collect2(container=container, datapath=["update_event_1:action_result.parameter.event_ids","update_event_1:action_result.parameter.context.artifact_id"], action_results=results)
parameters = []
# build parameters list for 'update_event_2' call
for update_event_1_result_item in update_event_1_result_data:
if update_event_1_result_item[0] is not None:
parameters.append({
"status": "Pending",
"comment": "Source IP is Malicious from VirusTotal",
"event_ids": update_event_1_result_item[0],
"context": {'artifact_id': update_event_1_result_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("update event", parameters=parameters, name="update_event_2", assets=["soar_es"])
return
@phantom.playbook_block()
def on_finish(container, summary):
phantom.debug("on_finish() called")
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
return
... View more
05-22-2025
01:54 AM
I've obtained this information from VirusTotal, and I want to create a playbook to check IP reputation and retrieve the results. I want to make a decision where if the result is greater than 0, it will write a note stating 'It's malicious from VirusTotal.' You can see this example: Community Score or information like '4/94 security vendors flagged.' I want to compare it according to VirusTotal from the playbook. However, when I run it, it only shows 'detected urls: 2.' Can someone explain this?
... View more
Labels
- Labels:
-
distributed search
-
search head
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Sunday
|
Karma given to
