After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Define aggregation rules to view related data in a single location. Artifacts matching a defined rule are copied to a new container.
To view aggregation rules, follow these steps:
- From the Home menu, select Administration.
- Select Product Settings > Aggregation.
The Aggregation page shows a list of all container labels defined on your system. The number inside the parentheses next to each label is the number of rules defined for that label.
Container labels can be created by an ingestion asset or manually from Home > Administration > Event Settings. For example, you can choose a source label from an ingestion asset like the "Events" label or an "Email" label, then create a destination label such as "Aggregated Events" that makes it clear that containers with that label are aggregated.
Add a new aggregation rule
As an example, you may want to aggregate all containers with matching sourceAddress CEF fields from your "email" label into your "events" label.
To create the example aggregation rule:
- From the Home menu, select Administration.
- Select Product Settings > Aggregation.
- From the Aggregation page, click + Aggregation Rule.
- Specify sourceAddress - Email to Events as the name of the rule.
- Select email from the drop-down list in the Source Label field.
- Select events from the drop-down list in the Destination Label field.
- Select Exact from the Match field to aggregate on the exact contents of the CEF field. You can click on the plus (+) icon to add additional match rules.
- Select sourceaddress in the CEF field. You can start typing the field name to search through the list of available field names.
- Click Save.
Edit an existing aggregation rule
After completing the previous example, perform the following steps to edit an existing aggregation rule in .
- Click on any existing rule. In this example, click email to view a summary of the aggregation rule.
- Click Edit to make changes to the rule.
- Click the trash can icon to remove the rule.
Click + Aggregation Rule to create a new rule. If you create a new rule from the email label rule page, the new rule will automatically populate the Source Label field with email.
Using multiple matches in an aggregation rule
An aggregation rule can have multiple match lines, such as a match on both sourceaddress and destinationaddress.
For this example, both the sourceaddress and destinationaddress must match for it to be aggregated into the same container.
If you treat sourceaddress as the attacker's IP address, and destinationaddress as the target's IP address, then this means you have artifacts being aggregated in the same destination container for only the exact same attacker and victim. So with a target IP address of 1.1.1.1, there is one destination container for attacker IP address 2.2.2.2 and target IP address 1.1.1.1, and a different container for attacker IP address 3.3.3.3 and target IP address 1.1.1.1.
CEF fields are matched even if there is no value. For example, if you have artifacts with a destinationaddress of 1.1.1.1 and no sourceaddress, they are still aggregated together into a destination container.
| Configure multiple tenants on your instance | Define tasks using workbooks |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0
Download manual
Feedback submitted, thanks!