Splunk App for SOAR Export release notes
Welcome to release 4.3.13
This release of Splunk App for SOAR Export, released on June 5, 2024, includes the following enhancements:
Feature | Description |
---|---|
New email datatype | Added a new CEF data type, email , used in both event forwarding and global field mapping.
|
Updated search API endpoint to version 2 |
Updated from Splunk search API endpoint version 1. |
Increased time to send Adaptive Response Action data | Time allotted increased to 10 minutes, to accommodate sending larger amounts of data. |
Event forwarding: FIPS mode | Splunk App for SOAR Export now uses a call to /services/server/info to check if your Splunk deployment is in FIPS mode. FIPS mode affects the SOAR container and artifact source_data_identifier hashes:
|
Updated libraries | Updated the following libraries:
|
Fixed issues in this release
This version of Splunk App for SOAR Export fixes the following issues:
Date resolved | Issue number | Description |
---|---|---|
2024-05-01 | PAPP-32468 | Failed adaptive response action statuses erroneously display as successful |
2024-03-25 | PAPP-33359 | Improve stability to address missing modules that can cause occasional interruptions |
2024-03-06 | PAPP-15101 | Alert Action config: Account names not replicated across search head cluster |
2024-02-28 | PAPP-33280 | Adaptive Response Action needs more time to send data |
2024-02-14 | PAPP-32614 | If field names mapped, Artifacts tab only needs to display custom mapped field names and not original field names |
Known issues in this release
This version of Splunk App for SOAR Export has the following known issues. If there are no issues listed, there are currently no known issues in this release.
Date filed | Issue number | Description |
---|---|---|
2024-06-27 | PAPP-34267 | Error "A saved search with that name already exists" when more than 30 Event Forwarding configured Workaround: workaround 1 in the python script apps/phantom/bin/phantom_splunk.py: add one more arg "count=999" (or count=0 for no limit) for the REST request in function get_savedsearch(self, search_name, app_endpoint=None). {noformat} def get_savedsearch(self, search_name, app_endpoint=None): endpoint = SAVED_SEARCHES_ENDPOINT + '/' + quote(search_name) if app_endpoint: endpoint = app_endpoint args = { 'output_mode': 'json', #default count is 30 for Maximum number of entries to return. https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog #workaround is to increase the count for issue "A saved search with that name already exists." 'count': '999', } try: response, content = splunk.rest.simpleRequest(endpoint, method='GET', sessionKey=self.session, getargs=args){noformat} workaround 2 in the python script apps/phantom/bin/phantom_splunk.py: change from "content = self.get_savedsearch(search_name, SAVED_SEARCHES_PH_GET_ENDPOINT) " to "content = self.get_savedsearch(search_name) " in function delete_saved_search(self, search_name). {noformat} def delete_saved_search(self, search_name): if not search_name and search_name.strip(): return #content = self.get_savedsearch(search_name, SAVED_SEARCHES_PH_GET_ENDPOINT) content = self.get_savedsearch(search_name) entries = content.get('entry', []) if not entries: return for item in entries: if item.get('name') == search_name: entry = item if entry.get('content', {}).get('action.script.filename') != 'phantom_forward.py': self.logger.warning('Not deleting {}, does not appear to be our own search'.format(search_name)) return path = SAVED_SEARCHES_ENDPOINT path += search_name self.rest(path, {}, 'DELETE'){noformat} |
2024-02-23 | PAPP-33268 | Saved search name with "slash" in event forwarding configuration doesn't give the custom mappings |
About Splunk App for SOAR Export |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.13
Feedback submitted, thanks!