Splunk App for SOAR Export release notes

The 4.1.117 version of the Splunk App for SOAR Export includes the following enhancements:

  • The name of the app has been changed to Splunk App for SOAR Export. References to Phantom in the UI have been updated to SOAR, but references in the code still refer to Phantom.
  • The app now removes items from the KV Store if the item has an invalid label in Splunk SOAR.
  • The regular expression in event parsing now accommodates multi-line values.
  • Performance improvements for the searches in event forwarding.
  • The default python.version is now python3.

Fixed issues in this release

This version of the Splunk App for SOAR Export was released on March 14, 2022 and fixes the following issues.

Date resolved Issue number Description
2022-02-09 PAPP-22982 phantom_forward.py does not handle multi-valued fields created with strcat and split() functions.
2022-01-31 PAPP-20810 Events in KV Store phantom_retry only sent if container label is valid.
2022-01-31 PAPP-22054 Upon successful phantom_retry, some artifacts end up in same container but should be unique.
2022-01-28 PAPP-19122 The SplunkD path is not set correctly in some cases.
2022-01-18 PAPP-23657 Upgrading from beta version 0.0.19 to release version 4.1.73 gave an error message related to earliest_time and latest_time parameters.
2022-01-07 PAPP-23255 Misleading 403 Forbidden error when syncing workbooks with Splunk cloud.

Known issues in this release

This version of the Splunk App for SOAR Export was released on March 14, 2022 and has the following known issues.

Date filed Issue number Description
2023-08-08PAPP-31554Artifact title missing in SOAR when posting via scheduled alert actions
2023-07-19PAPP-31340ES Notable multi-line comments are not exported to SOAR
Workaround:
No workaround is available.
2022-08-13PAPP-27172Updating forwarding rule results in error "A saved search with that name already exists"
Workaround:
Searches and forwarding rule can be changed in conf and if you delete the underlying search update recreates it.

Alternative workaround to change existing Event Forwarding: 1. Navigate to Event Forwarding page on SAS Export 2. Click "Clone" on rule you would like to modify 3. Modal to modify clone will open so you can make changes here 4. After making changes, click "Save and Close" or "Save and Preview"

2022-08-08PAPP-27021ES Adaptive Response Action Recorded Success Twice
Workaround:
+Attach "dedup sid" to macro `modular_action_invocations`
2022-07-15PAPP-26850ITSI - Event forwarding configurations were not being updated to either enabled or disabled. (SOAR EXPORT)
Workaround:
Work around from previous JIRA DID NOT work for ITSI stack
2021-11-26PAPP-21689Send to SOAR sometime throws "IndexError: list index out of range".
2021-05-19PAPP-17108Adaptive Response Relay produces error message in Cloud
Workaround:
Create a saved search report to invoke Send to SOAR or Run SOAR Playbook actions, as described in these steps:
  1. Create the intended correlation search. For Triggered Actions, do not add the Send to Phantom alert action. Instead, only add the Create Notable alert action.
  2. Create a Saved Search Report.
    • Set permissions so that at least Splunk Enterprise Security and Phantom App on Splunk have permissions to read/write.
    • Set a schedule so the search runs on a regular basis.
    • Set the search so the notable is found and all fields are carried over. Include the sendalert in the search, that will look like this:
      index=notable | foreach _* [| eval "<<FIELD>>"='<<FIELD>>'+500] | sendalert sendtophantom param.phantom_server="automation (https://10.1.18.147) (ARR)" param.sensitivity="red" param.severity="high" param.label="events" param._cam_workers="[\"hf1\"]" param.relay_account="hf1"

If the key word _phantom_workaround_description is present in the results, then that is considered to be the original search description. This search description will be added to the SOAR container description.

For the search Test Alert Title, you can send its description by adding the following text to the workaround report's search: 

| eval _phantom_workaround_description = [| rest /services/saved/searches/Test%20Alert%20Title | eval desc="\"".description."\"" |return $desc]