Re: SOAR- Splunk Notable push through splunk App ...

harishlnu

Hi Team,

Could you please help me on below issue.
I am using splunk App soar export for to push notable to Splunk phantom, but it was creating 2 same artifacts in one container, can you guide how can i avoid create multiple artifact in one container

Thanks in advance

marnall

Yeah the app is not great at deduplicating the notables it sends to SOAR. Ideally you would want this app to run a search, find result with some key field X, then create only one container with one artifact containing that result. Subsequent searches in the app will create a new artifact in the same container, but this is unwanted.

One way around this is to set up your generating search so that it appends the results to a whitelist which is used in later executions of the search to remove the results already seen.

E.g. imagine you have a unique field of "id" in your results. You want only one container+artifact per value of "id".

1. Make a lookup containing one "id" column. E.g. search_whitelist.csv

2. Change your search to append and exclude ids:

| <your search>
| search NOT [| inputlookup search_whitelist.csv | table id]
| outputlookup search_whitelist.csv append=true

3. (optional but recommended) - make another search which removes old entries from the search_whitelist.csv if it gets too big. E.g.

| inputlookup search_whitelist.csv
| sort - id
| head 10000
| outputlookup search_whitelist.csv

SOAR- Splunk Notable push through splunk App soar export

development

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!