Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Splunk App for SOAR Export release notes

The 4.1.117 version of the Splunk App for SOAR Export includes the following enhancements:

  • The name of the app has been changed to Splunk App for SOAR Export. References to Phantom in the UI have been updated to SOAR, but references in the code still refer to Phantom.
  • The app now removes items from the KV Store if the item has an invalid label in Splunk SOAR.
  • The regular expression in event parsing now accommodates multiline values.
  • Performance improvements for the searches in event forwarding.
  • The default python.version is now python3.

Fixed issues in this release

This version of the Splunk App for SOAR Export was released on March 14, 2022 and fixes the following issues.

Date resolved Issue number Description
2022-02-09 PAPP-22982 phantom_forward.py does not handle multi-valued fields created with strcat and split() functions.
2022-01-31 PAPP-20810 Events in KV Store phantom_retry only sent if container label is valid.
2022-01-31 PAPP-22054 Upon successful phantom_retry, some artifacts end up in same container but should be unique.
2022-01-28 PAPP-19122 The SplunkD path is not set correctly in some cases.
2022-01-18 PAPP-23657 Upgrading from beta version 0.0.19 to release version 4.1.73 gave an error message related to earliest_time and latest_time parameters.
2022-01-07 PAPP-23255 Misleading 403 Forbidden error when syncing workbooks with Splunk cloud.

Known issues in this release

This version of the Splunk App for SOAR Export was released on March 14, 2022 and has the following known issues.

Date filed Issue number Description
2023-08-08 PAPP-31554 Artifact title missing in SOAR when posting via scheduled alert actions
2023-07-19 PAPP-31340 ES Notable multiline comments are not exported to SOAR

Workaround:
No workaround is available.
2022-08-13 PAPP-27172 Updating forwarding rule results in error "A saved search with that name already exists"

Workaround:
Searches and forwarding rule can be changed in conf and if you delete the underlying search update recreates it.

Alternative workaround to change existing Event Forwarding: 1. Navigate to Event Forwarding page on SAS Export 2. Click "Clone" on rule you would like to modify 3. Modal to modify clone will open so you can make changes here 4. After making changes, click "Save and Close" or "Save and Preview"

2022-08-08 PAPP-27021 ES Adaptive Response Action Recorded Success Twice

Workaround:
+Attach "dedup sid" to macro `modular_action_invocations`
2022-07-15 PAPP-26850 ITSI - Event forwarding configurations were not being updated to either enabled or disabled. (SOAR EXPORT)

Workaround:
Work around from previous JIRA DID NOT work for ITSI stack
2021-11-26 PAPP-21689 Send to SOAR sometime throws "IndexError: list index out of range".
2021-05-19 PAPP-17108 Adaptive Response Relay produces error message in Cloud

Workaround:
Create a saved search report to invoke Send to SOAR or Run SOAR Playbook actions, as described in these steps:
  1. Create the intended correlation search. For Triggered Actions, do not add the Send to Phantom alert action. Instead, only add the Create Notable alert action.
  2. Create a Saved Search Report.
    • Set permissions so that at least Splunk Enterprise Security and Phantom App on Splunk have permissions to read/write.
    • Set a schedule so the search runs on a regular basis.
    • Set the search so the notable is found and all fields are carried over. Include the sendalert in the search, that will look like this:
      index=notable | foreach _* [| eval "<<FIELD>>"='<<FIELD>>'+500] | sendalert sendtophantom param.phantom_server="automation (https://10.1.18.147) (ARR)" param.sensitivity="red" param.severity="high" param.label="events" param._cam_workers="[\"hf1\"]" param.relay_account="hf1"

If the key word _phantom_workaround_description is present in the results, then that is considered to be the original search description. This search description will be added to the SOAR container description.
For the search Test Alert Title, you can send its description by adding the following text to the workaround report's search: 

| eval _phantom_workaround_description = [| rest /services/saved/searches/Test%20Alert%20Title | eval desc="\"".description."\"" |return $desc]

Last modified on 21 September, 2023
About the Splunk App for SOAR Export   Check prerequisites for Splunk App for SOAR Export on Splunk Enterprise

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters