After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Create custom CEF fields in
uses the Common Event Format (CEF). CEF is a system of key-value pairs for important pieces of information about an artifact.
An artifact might have several key pieces of information such as sourceAddress
, sourcePort
, destinationAddress
, destinationPort
, and a timestamp
. Each of these is stored in a field.
You can only have one of each CEF field per artifact. For example, you cannot have more than one sourceAddress
per artifact. If you have a data set that includes multiple sourceAddress
entries, separate those into multiple artifacts. Each of those artifacts can be placed in the same container.
You can extend or customize CEF to meet your organization's needs by adding custom CEF fields, and then using these fields in Investigation, add them to artifacts with the REST API, or using them in playbooks.
When an artifact is edited from Investigation, values set for a custom CEF appear as indicators. You can view these indicators by selecting Indicators in the Home menu.
You can add, delete, or modify a custom CEF using the REST API.
Create a custom CEF field
Perform the following steps to create a custom CEF field:
- From the Home menu, select Administration.
- Select Administration Settings > CEF.
- Click + CEF.
- Type a name for your customized CEF.
- (Optional) Select a data type for the field from the dropdown list.
Available choices are prepopulated with all enabled Apps actions. You can add your own data type or leave the data type blank.
- Click Save.
Modify a custom CEF field
Perform the following steps to modify a custom CEF field:
- From the Home menu, select Administration.
- Select Administration Settings > CEF.
- Click the edit icon to the right of the CEF name.
- Make the desired changes.
- Click Save.
Delete a custom CEF field
Perform the following steps to delete a custom CEF field:
- From the Home menu, select Administration.
- Select Administration Settings > CEF.
- Click the ⓧ icon to the right of the custom CEF field name.
Deleting a custom CEF does not remove it from existing artifacts that have the field applied.
Add tags to objects in | View related data using aggregation rules |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1
Feedback submitted, thanks!