Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Splunk App for SOAR Export release notes

Welcome to release 4.3.2

This release of Splunk App for SOAR Export, released on September 27, 2023, includes the following enhancements:

Feature Description
Improved performance To avoid using too many resources, phantom_retry can now retrieve a maximum of 250 records from the KV Store.
Updated cim_actions.py Updated cim_actions.py to a more recent version.

Fixed issues in this release

This version of Splunk App for SOAR Export fixes the following issues:

Date resolved Issue number Description
2023-12-04 PAPP-30740 Alert action 'sensitivity' field appears to already select 'Red'; requires making a selection
2023-08-14 PAPP-17108 Adaptive Response Relay produces error message in Cloud
2023-08-08 PAPP-31554 Artifact title missing in SOAR when posting via scheduled alert actions
2023-08-08 PAPP-31536 Red sensitivity auto populated
2023-08-03 PAPP-31340 ES Notable multiline comments are not exported to SOAR
2023-07-18 PAPP-31327 Default severities not retrieved for servers without Observer role
2023-07-11 PAPP-31172 phantom_retry causes Out of Memory if there are too many records in collection
2023-06-28 PAPP-31145 phantom_retry 403 error due to missing permissions

Known issues in this release

This version of Splunk App for SOAR Export has the following known issues. If there are no known issues listed below, this version has no known issues.

Date filed Issue number Description
2024-06-27 PAPP-34267 Error "A saved search with that name already exists" when more than 30 Event Forwarding configured

Workaround:
workaround 1 in the python script apps/phantom/bin/phantom_splunk.py: add one more arg "count=999" (or count=0 for no limit) for the REST request in function get_savedsearch(self, search_name, app_endpoint=None). 
 {noformat} def get_savedsearch(self, search_name, app_endpoint=None):
       endpoint = SAVED_SEARCHES_ENDPOINT + '/' + quote(search_name)
       if app_endpoint:
           endpoint = app_endpoint
       args = {
           'output_mode': 'json',
           #default count is 30 for Maximum number of entries to return. https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog
           #workaround is to increase the count for issue "A saved search with that name already exists."
           'count': '999',
       }
       try:
           response, content = splunk.rest.simpleRequest(endpoint,
                                                       method='GET',
                                                       sessionKey=self.session,
                                                       getargs=args){noformat}

workaround 2 in the python script apps/phantom/bin/phantom_splunk.py: change from "content = self.get_savedsearch(search_name, SAVED_SEARCHES_PH_GET_ENDPOINT) " to "content = self.get_savedsearch(search_name) " in function delete_saved_search(self, search_name). {noformat} def delete_saved_search(self, search_name): 

       if not search_name and search_name.strip():
           return
       #content = self.get_savedsearch(search_name, SAVED_SEARCHES_PH_GET_ENDPOINT)
       content = self.get_savedsearch(search_name) 
       entries = content.get('entry', [])
       if not entries:
           return
       for item in entries:
           if item.get('name') == search_name:
               entry = item
       if entry.get('content', {}).get('action.script.filename') != 'phantom_forward.py':
           self.logger.warning('Not deleting {}, does not appear to be our own search'.format(search_name))
           return
       path = SAVED_SEARCHES_ENDPOINT
       path += search_name
       self.rest(path, {}, 'DELETE'){noformat}
2024-02-28 PAPP-33280 Adaptive Response Action needs more time to send data
2024-02-23 PAPP-33268 Saved search name with "slash" in event forwarding configuration doesn't give the custom mappings
2023-12-07 PAPP-32614 If field names mapped, Artifacts tab only needs to display custom mapped field names and not original field names

Workaround:
no workaround found
2023-11-21 PAPP-32468 Failed adaptive response action statuses erroneously display as successful

Workaround:
To see the accurate status, refresh the page after about 30 minutes.
2021-03-01 PAPP-15101 Alert Action config: Account names not replicated across search head cluster
Last modified on 15 October, 2024
  About Splunk App for SOAR Export

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters