Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Splunk App for SOAR Export release notes

Welcome to release 4.3.13

This release of Splunk App for SOAR Export, released on June 5, 2024, includes the following enhancements:

Feature Description
New email datatype Added a new CEF data type, email, used in both event forwarding and global field mapping.
Updated search API endpoint to
version 2 		Updated from Splunk search API endpoint version 1.
Increased time to send Adaptive Response Action data Time allotted increased to 10 minutes, to accommodate sending larger amounts of data.
Event forwarding: FIPS mode Splunk App for SOAR Export now uses a call to /services/server/info to check if your Splunk deployment is in FIPS mode.
FIPS mode affects the SOAR container and artifact source_data_identifier hashes:
  • If Splunk is in FIPS mode: These hashes are sha256.
  • If Splunk is in not FIPS mode: These hashes are md5.
Updated libraries Updated the following libraries:
  • axios updated to 0.28.0
  • certifi updated to 2023.07.22
  • cloudconnectlib updated to 3.1.3
  • httplib2 updated to 0.22.0
  • requests updated to 2.31.0
  • setuptools updated to 69.1.0
  • splunklib updated to 1.7.4
  • splunktalib updated to 3.0.4
  • urllib3 updated to 1.26.7

Fixed issues in this release

This version of Splunk App for SOAR Export fixes the following issues:

Date resolved Issue number Description
2024-05-01 PAPP-32468 Failed adaptive response action statuses erroneously display as successful
2024-03-25 PAPP-33359 Improve stability to address missing modules that can cause occasional interruptions
2024-03-06 PAPP-15101 Alert Action config: Account names not replicated across search head cluster
2024-02-28 PAPP-33280 Adaptive Response Action needs more time to send data
2024-02-14 PAPP-32614 If field names mapped, Artifacts tab only needs to display custom mapped field names and not original field names

Known issues in this release

This version of Splunk App for SOAR Export has the following known issues. If there are no issues listed, there are currently no known issues in this release.

Date filed Issue number Description
2024-06-27 PAPP-34267 Error "A saved search with that name already exists" when more than 30 Event Forwarding configured

Workaround:
workaround 1 in the python script apps/phantom/bin/phantom_splunk.py: add one more arg "count=999" (or count=0 for no limit) for the REST request in function get_savedsearch(self, search_name, app_endpoint=None). 
 {noformat} def get_savedsearch(self, search_name, app_endpoint=None):
       endpoint = SAVED_SEARCHES_ENDPOINT + '/' + quote(search_name)
       if app_endpoint:
           endpoint = app_endpoint
       args = {
           'output_mode': 'json',
           #default count is 30 for Maximum number of entries to return. https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog
           #workaround is to increase the count for issue "A saved search with that name already exists."
           'count': '999',
       }
       try:
           response, content = splunk.rest.simpleRequest(endpoint,
                                                       method='GET',
                                                       sessionKey=self.session,
                                                       getargs=args){noformat}

workaround 2 in the python script apps/phantom/bin/phantom_splunk.py: change from "content = self.get_savedsearch(search_name, SAVED_SEARCHES_PH_GET_ENDPOINT) " to "content = self.get_savedsearch(search_name) " in function delete_saved_search(self, search_name). {noformat} def delete_saved_search(self, search_name): 

       if not search_name and search_name.strip():
           return
       #content = self.get_savedsearch(search_name, SAVED_SEARCHES_PH_GET_ENDPOINT)
       content = self.get_savedsearch(search_name) 
       entries = content.get('entry', [])
       if not entries:
           return
       for item in entries:
           if item.get('name') == search_name:
               entry = item
       if entry.get('content', {}).get('action.script.filename') != 'phantom_forward.py':
           self.logger.warning('Not deleting {}, does not appear to be our own search'.format(search_name))
           return
       path = SAVED_SEARCHES_ENDPOINT
       path += search_name
       self.rest(path, {}, 'DELETE'){noformat}
2024-02-23 PAPP-33268 Saved search name with "slash" in event forwarding configuration doesn't give the custom mappings
Last modified on 15 October, 2024
  About Splunk App for SOAR Export

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.13

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters