Splunk App for SOAR Export release notes

Welcome to release 4.2.3

This release of Splunk App for SOAR Export, released on May 31, 2023, includes the following enhancements:

Feature	Description
Self-service install	You can now install Splunk App for SOAR Export from Splunkbase on your own. For details, see Install Splunk App for SOAR Export on Splunk Enterprise and Install Splunk App for SOAR Export on Splunk Cloud Platform.
Global field mapping	Added a new button on the Global Field Mapping page, so you can add field mappings from that page. For details, see Configure global field mappings.
Artifacts in Splunk SOAR display expanding option	Regardless of whether you specify a Contains field in Splunk App for SOAR Export global field mapping, related artifacts in Splunk SOAR display the small triangle, enabling access to additional information.
Custom severity synchronization	You can use any custom severity values you created in your SOAR instance within Splunk App for SOAR Export. For details, see Run adaptive response actions in Splunk ES to send notable events to Splunk SOAR and Connect Splunk App for SOAR Export and the Splunk Platform to a Splunk SOAR server or Splunk SOAR.
Custom container name for notables	When setting up a saved search to forward notables, you now have a choice in naming the container created in Splunk SOAR. By default, the new container name has the same name as the alert or adaptive response action. This has been the automatic naming in past releases. With this release, you can now choose to have the container name be the source of the event that triggered the alert or adaptive response action. This is new functionality and does not break any existing adaptive response actions or alerts. For additional details, see Run adaptive response actions in Splunk ES to send notable events to Splunk SOAR.
Notable ID sent to Splunk SOAR	If you create a correlation search for an adaptive response action that creates a notable, along with your Send to SOAR or Run Playbook in SOAR request, the event_id of the notable is also sent to Splunk SOAR as a CEF value in the artifact.
Updated props.conf	Updated several aspects of props.conf, including the following: ingesting logs is now more performant log_level is now available for viewing and parsing sourcetype for the following logs no longer have numbers or "small" appended to the end of their names: phantom_forwarding, phantom_configuration, phantom_retry
New sc_admin role	The new sc_admin role now has Splunk App for SOAR Export capabilities, specified in the `authorize.conf` file. A user with the sc_admin role can now assign Splunk App for SOAR Export roles, along with the phantom_read and phantom_write capabilities to other users in Splunk Cloud. This role is also imported during installation for Splunk Enterprise, but has no effect on, and no administrative capabilities within, the Splunk Enterprise installation.

Fixed issues in this release

This version of Splunk App for SOAR Export fixes the following issues:

Date resolved	Issue number	Description
2023-03-20	PAPP-27021	ES Adaptive Response Action Recorded Success Twice
2022-10-19	PAPP-27172	Updating forwarding rule results in error "A saved search with that name already exists"
2022-09-29	PAPP-26850	ITSI - Event forwarding configurations were not being updated to either enabled or disabled. (SOAR EXPORT)

Known issues in this release

This version of Splunk App for SOAR Export has the following known issues:

Date filed	Issue number	Description
2023-08-08	PAPP-31554	Artifact title missing in SOAR when posting via scheduled alert actions
2023-08-03	PAPP-31536	Red sensitivity auto populated
2023-07-19	PAPP-31340	ES Notable multiline comments are not exported to SOAR Workaround: No workaround is available.
2023-07-18	PAPP-31327	Default severities not retrieved for servers without Observer role
2023-05-25	PAPP-30740	Alert action 'sensitivity' field appears to already select 'Red'; requires making a selection Workaround: Select a sensitivity setting, although it looks like 'Red' is already selected.
2021-05-19	PAPP-17108	Adaptive Response Relay produces error message in Cloud Workaround: Create a saved search report to invoke Send to SOAR or Run SOAR Playbook actions, as described in these steps: Create the intended correlation search. For Triggered Actions, do not add the Send to Phantom alert action. Instead, only add the Create Notable alert action. Create a Saved Search Report. Set permissions so that at least Splunk Enterprise Security and Phantom App on Splunk have permissions to read/write. Set a schedule so the search runs on a regular basis. Set the search so the notable is found and all fields are carried over. Include the sendalert in the search, that will look like this: `index=notable \| foreach _* [\| eval "<<FIELD>>"='<<FIELD>>'+500] \| sendalert sendtophantom param.phantom_server="automation (https://10.1.18.147) (ARR)" param.sensitivity="red" param.severity="high" param.label="events" param._cam_workers="[\"hf1\"]" param.relay_account="hf1"` If the key word `_phantom_workaround_description` is present in the results, then that is considered to be the original search description. This search description will be added to the SOAR container description. For the search Test Alert Title, you can send its description by adding the following text to the workaround report's search: \| eval _phantom_workaround_description = [\| rest /services/saved/searches/Test%20Alert%20Title \| eval desc="\"".description."\"" \|return $desc]

Splunk App for SOAR Export release notes

Welcome to release 4.2.3

Fixed issues in this release

Known issues in this release

Comments

Splunk App for SOAR Export release notes

Was this topic useful?