IBM Security QRadar SOAR

 View Only
  • 1.  Parse Splunk ES event in Resilient

    Posted Wed May 04, 2022 03:27 PM
    When using the Splunk query (w the Splunk integration v1.1.0) an incident is created with 'Link to Splunk ES notable event' in the description. How would you parse the event link in Resilient? Note: I am unable to manually open the link in my web browser. 

    ------------------------------
    Mark Aksen
    ------------------------------


  • 2.  RE: Parse Splunk ES event in Resilient

    Posted Thu May 05, 2022 10:06 AM
    Hi Mark

    There are 2 Splunk components that we provide: the Splunk Add-on runs in Splunk and the fn_splunk_integration that runs in SOAR.

    I think you are referring to the Add-on that runs in Splunk and escalates incidents to SOAR?  There is an HTML mapping page in Splunk where you can define the "Description" field that will be filled in when a SOAR incident is created.  The default setting for the "Description" in Splunk ES is:

    <div>$name$</div><div>$result.rule_description$</div><div>Urgency: $result.urgency$</div><div>Owner: $result.owner$</div><div>Status:$result.status$</div><div>Link to Splunk ES <a href="https://$result.splunk_server$:8000/en-US/app/SplunkEnterpriseSecuritySuite/search?q=search%20%60notable_by_id($result.event_id$)%60&display.page.search.mode=smart">notable event</a></div>​​


    Here is a sample of the link in SOAR "Description":

    https://splunk2sh1.com:8000/en-US/app/SplunkEnterpriseSecuritySuite/search?q=search%20%60notable_by_id(3C2E92BD-1183-4A4D-94C0-1E7BAC6A8AEB@@notable@@0cc21152b8d994d27bc18e73de6ebe23)%60&display.page.search.mode=smart

    What is it that you would like to parse out?  Or is your issue that the link is not working?

    AnnMarie



    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 3.  RE: Parse Splunk ES event in Resilient

    Posted Thu May 05, 2022 11:26 AM
    Hi AnneMarie,

    The link isn't working. I would like to grab the information that's available from that link.

    ------------------------------
    Mark Aksen
    ------------------------------



  • 4.  RE: Parse Splunk ES event in Resilient

    Posted Thu May 05, 2022 11:50 AM
    Can you post what the text is when you copy the link when you hover over "notable event" in the "Description" of the incident?

    Do you have access to the Splunk system?

    You can edit the html mapping when doing a manual escalation by hitting "Run Adaptive Response Actions" off of a notable:


    Does your search result have an event_id that is used to form the URL?
    $result.event_id$​

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 5.  RE: Parse Splunk ES event in Resilient

    Posted Thu May 05, 2022 01:47 PM
    I don't see any text when hovering over "notable event".
    I do have access to the Splunk system, though it's possible I am not granted full access that I need to access this link. 

    How am I able to see the event ID? Is that found in the URL that is referenced by the "notable event"?

    ------------------------------
    Mark Aksen
    ------------------------------



  • 6.  RE: Parse Splunk ES event in Resilient

    Posted Fri May 06, 2022 12:22 PM
    In my first post...the html code is contains the default html mapping that is in the "Description" field on the screenshot I post in my second post.  When an alert is triggered the result token are substituted to create the URL.  The text in the html starting with
    <a href=​
    is used to form the URL link. These are the tokens used for substituting the results of the search when Splunk ES is used:
    $result.splunk_server$​
    $result.event_id$

    You can look in the /opt/splunk/var/log/splunk/resilient_modalert.log for more information on the incident when it is created....search in there for the incident ID from SOAR.



    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 7.  RE: Parse Splunk ES event in Resilient

    Posted Tue May 10, 2022 11:02 AM
    Hi AnnMarie,

    '/opt/splunk' does not exist in my apphost server. Is there another way to check what the values of $result.splunk_server$ and $result.event_id$ are?

    ------------------------------
    Mark Aksen
    ------------------------------



  • 8.  RE: Parse Splunk ES event in Resilient

    Posted Tue May 10, 2022 11:39 AM
    Hi Mark,

    /opt/splunk directory is not on the apphost server...it is on the Splunk server where the saved search is run.  In Splunk you edit the HTML mapping page to map the results of the Splunk search to fields in the SOAR incident/case. When the search is executed in Splunk the results are sent as fields in SOAR in a new incident.  You could map those results to other fields in SOAR ($results.splunk_server$ and $result.event_id$) if you want them to show up there.

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 9.  RE: Parse Splunk ES event in Resilient

    Posted Wed May 11, 2022 04:53 PM
    Hi AnnMarie,

    I reviewed the resilient_modalert.log file and could not find the values for the rule_description, urgency, owner, and status fields in there. 
    What should I expect to see when I search for these fields in the log file? 

    Anything else I should be checking for in the log file to determine why the html page for 'notable event' is not accessible?

    Thank you,
    Mark

    ------------------------------
    Mark Aksen
    ------------------------------