I need my Phantom playbook to be able to close a Splunk ES notable event when it's completed, this requires the event_id field which is not included in the artifact when using the adaptive response.
Has anyone found a clever solution?
This is possible when using the Phantom app for Splunk, however we need to pivot and start using the AR
Using the notable macro is the correct answer and yet missing a piece or two. We (ProServ) recommend the use of Event Forwarding with the appropriate Phantom Instance configured and working. This will allow you to forward events with global mappings (available in 3.x of the Phantom App for Splunk). Using this model makes it easy to do several things. 1.You won't have to go to every rule and add an adaptive response action, but you will have to either use a tag, label or naming convention in your rules for your Event Forwarding Saved Search to find (like PROD). This configuration when properly deployed will allow you to update a rule and then the appropriate Event Forwarding Search configuration will find the data and forward it to phantom from a search that used the notable macro which has the event_id you are looking for phantom to have to update the notable.
Adaptive Response does not update notable fast enough for splunk to send the data to phantom and thus it's not available. A new integration is on the horizon and this will be a thing of the past. But this is the workaround to push data back to Splunk via a notable update.
@rgresham_splunk is this the only solution till date to forward event_id from splunk to phantom, or do we have any other method, we are looking to use Adaptive Response but because of event_id not getting populated in phantom we are not able to utilize this option. Thanking in advance.
We changed the CIM that pushes the event to Phantom to add event_id, then in Phantom, the event id is available.
Thank you, Can you expand on 'changed the CIM' ?
We cloned the Notable event data model and added event_id as a field in the data model. Then in the Phantom app for Splunk, used that data model to select events and passed the event id across to Phantom.
How can we filter fields when sending the event to phantom from ES, by default, ES will send the all fields of the notable event to phantom, but a lot of them are useless for phantom's investigation. Thank you.
Very cool solution, thank you for sharing.
You can use notable
macro to pull the evnts from Splunk to Phantom. Thus you will get the event_id as artifact.
The notable macro doesn't work when it's being called by an adaptive response action.
I can't say that I have tackled this specific scenario before but my first approach in general would be to use the splunk 'run query' action and use the details available to identify the notable and then pull the ID from the results.
Thank you phantom_mike, i'm going down that road.