Splunk App for SOAR Export release notes

The 4.1.135 version of the Splunk App for SOAR Export includes the following enhancements:

  • When sending notable events to Splunk SOAR using either Send to SOAR or Run Playbook in SOAR, you can now use the Grouping setting to select whether you want events passed to Splunk SOAR to be grouped into one container, rather than in separate containers. See Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom or Splunk SOAR. This functionality requires that the Splunk Common Information Model (CIM), Splunk Enterprise Security (ES), or both are also installed in your Splunk instance.
  • The install/update process for Splunk App for SOAR Export no longer needs to check for updated versions. The check_for_updates flag has been removed from phantom/default/app.conf.

Fixed issues in this release

This version of the Splunk App for SOAR Export was released on August 25, 2022 and fixes the following issues.

Date resolved Issue number Description
2022-07-29 PAPP-25896 Event forwarding configuration UI is limited to 100 results.
2022-07-27 PAPP-26065 Alert action account entries require page refresh to be visible in UI after update.
2022-06-09 PAPP-19281 When creating a new event forwarding configuration, the configuration sometimes does not show up in the UI.

Known issues in this release

This version of the Splunk App for SOAR Export was released on August 25, 2022 and has the following known issues.

Date filed Issue number Description
2023-08-08PAPP-31554Artifact title missing in SOAR when posting via scheduled alert actions
2023-07-19PAPP-31340ES Notable multiline comments are not exported to SOAR
Workaround:
No workaround is available.
2021-11-26PAPP-21689Send to SOAR sometime throws "IndexError: list index out of range".
2021-05-19PAPP-17108Adaptive Response Relay produces error message in Cloud
Workaround:
Create a saved search report to invoke Send to SOAR or Run SOAR Playbook actions, as described in these steps:
  1. Create the intended correlation search. For Triggered Actions, do not add the Send to Phantom alert action. Instead, only add the Create Notable alert action.
  2. Create a Saved Search Report.
    • Set permissions so that at least Splunk Enterprise Security and Phantom App on Splunk have permissions to read/write.
    • Set a schedule so the search runs on a regular basis.
    • Set the search so the notable is found and all fields are carried over. Include the sendalert in the search, that will look like this:
      index=notable | foreach _* [| eval "<<FIELD>>"='<<FIELD>>'+500] | sendalert sendtophantom param.phantom_server="automation (https://10.1.18.147) (ARR)" param.sensitivity="red" param.severity="high" param.label="events" param._cam_workers="[\"hf1\"]" param.relay_account="hf1"

If the key word _phantom_workaround_description is present in the results, then that is considered to be the original search description. This search description will be added to the SOAR container description.

For the search Test Alert Title, you can send its description by adding the following text to the workaround report's search: 

| eval _phantom_workaround_description = [| rest /services/saved/searches/Test%20Alert%20Title | eval desc="\"".description."\"" |return $desc]