Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Create custom CEF fields in

uses the Common Event Format (CEF). CEF is a system of key-value pairs for important pieces of information about an artifact.

An artifact might have several key pieces of information such as sourceAddress, sourcePort, destinationAddress, destinationPort, and a timestamp. Each of these is stored in a field.

You can only have one of each CEF field per artifact. For example, you cannot have more than one sourceAddress per artifact. If you have a data set that includes multiple sourceAddress entries, separate those into multiple artifacts. Each of those artifacts can be placed in the same container.

You can extend or customize CEF to meet your organization's needs by adding custom CEF fields, and then using these fields in Investigation, add them to artifacts with the REST API, or using them in playbooks.

When an artifact is edited from Investigation, values set for a custom CEF appear as indicators. You can view these indicators by selecting Indicators in the Home menu.

You can add, delete, or modify a custom CEF using the REST API.

Create a custom CEF field

Perform the following steps to create a custom CEF field:

  1. From the Home menu, select Administration.
  2. Select Administration Settings > CEF.
  3. Click + CEF.
  4. Type a name for your customized CEF.
  5. (Optional) Select a data type for the field from the dropdown list.

Available choices are prepopulated with all enabled Apps actions. You can add your own data type or leave the data type blank.

  1. Click Save.

Modify a custom CEF field

Perform the following steps to modify a custom CEF field:

  1. From the Home menu, select Administration.
  2. Select Administration Settings > CEF.
  3. Click the edit icon to the right of the CEF name.
  4. Make the desired changes.
  5. Click Save.

Delete a custom CEF field

Perform the following steps to delete a custom CEF field:

  1. From the Home menu, select Administration.
  2. Select Administration Settings > CEF.
  3. Click the ⓧ icon to the right of the custom CEF field name.

Deleting a custom CEF does not remove it from existing artifacts that have the field applied.

Last modified on 25 May, 2023
Add tags to objects in   View related data using aggregation rules

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters