https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/splunk-notable-hash/m-p/550110#M2356 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/300931">@valenting</a>,&nbsp;</P> <P>&nbsp;</P> <P>This is the default behaviour for all XSOAR incidents. The below screenshot shows Splunk Event Hashes being extracted as file hashes.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-07-20 at 11.05.40 am.png" style="width: 305px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51807iB8D8A982C5B01068/image-dimensions/305x278/is-moderation-mode/true?v=v2" width="305" height="278" role="button" title="Screenshot 2023-07-20 at 11.05.40 am.png" alt="Screenshot 2023-07-20 at 11.05.40 am.png" /></span></P> <P>&nbsp;</P> <P>This can happen due to the below:-</P> <P>1. Default Splunk Generic Playbook - This playbook has a step that extracts indicators from the entire incident context. You can modify the "<SPAN>Extract indicators from incident" step to focus specific fields inside the Splunk alert.</SPAN></P> <P>&nbsp;</P> <P><SPAN>2. Indicator Extract Rules for Incident Type - Reconfigure the rule to prevent indicator extraction on "Incident Creation". Screenshot below.</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-07-20 at 11.20.39 am.png" style="width: 313px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51808i05E0FCF802AB7251/image-dimensions/313x120/is-moderation-mode/true?v=v2" width="313" height="120" role="button" title="Screenshot 2023-07-20 at 11.20.39 am.png" alt="Screenshot 2023-07-20 at 11.20.39 am.png" /></span></SPAN></P> <P>For more information on Indicator Extraction, refer -&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Indicator-Extraction" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Indicator-Extraction</A></P> Thu, 20 Jul 2023 01:32:19 GMT jfernandes1 2023-07-20T01:32:19Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/splunk-notable-hash/m-p/548006#M2282 <P>Hello, i get some problems during setup my splunk to xsoar:</P> <P>&nbsp;</P> <P>The problem i get is xsoar take the notable event hash filed like it was a file hash and i didn't want it in my playbook.</P> <P>Some of you has already face this issue ? do you have resolved it ?</P> <P>&nbsp;</P> <P>Thanks&nbsp;</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XSOAR" id="Cortex_XSOAR"></LI-PRODUCT>&nbsp;</P> Mon, 03 Jul 2023 09:57:04 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/splunk-notable-hash/m-p/548006#M2282 valenting 2023-07-03T09:57:04Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/splunk-notable-hash/m-p/548588#M2294 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/300931">@valenting</a>&nbsp;,</P> <P>&nbsp;</P> <P>I checked the incoming Splunk notable event mapper and didn't see any out of the box mapping to file fields, which is leading me to think it is happening within the playbook you are using. Can you see from which automation in the playbook that could be happening with? If you can locate that, that behavior can be switched off through the advanced section of the automation by setting "Indicator Extraction Mode" to "None".</P> <P>&nbsp;</P> <P>It is also worth checking the incoming mapper that you're using, as that could have been modified to extract that field as a file hash indicator.&nbsp;</P> Fri, 07 Jul 2023 16:22:08 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/splunk-notable-hash/m-p/548588#M2294 mcooley 2023-07-07T16:22:08Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/splunk-notable-hash/m-p/550110#M2356 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/300931">@valenting</a>,&nbsp;</P> <P>&nbsp;</P> <P>This is the default behaviour for all XSOAR incidents. The below screenshot shows Splunk Event Hashes being extracted as file hashes.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-07-20 at 11.05.40 am.png" style="width: 305px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51807iB8D8A982C5B01068/image-dimensions/305x278/is-moderation-mode/true?v=v2" width="305" height="278" role="button" title="Screenshot 2023-07-20 at 11.05.40 am.png" alt="Screenshot 2023-07-20 at 11.05.40 am.png" /></span></P> <P>&nbsp;</P> <P>This can happen due to the below:-</P> <P>1. Default Splunk Generic Playbook - This playbook has a step that extracts indicators from the entire incident context. You can modify the "<SPAN>Extract indicators from incident" step to focus specific fields inside the Splunk alert.</SPAN></P> <P>&nbsp;</P> <P><SPAN>2. Indicator Extract Rules for Incident Type - Reconfigure the rule to prevent indicator extraction on "Incident Creation". Screenshot below.</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-07-20 at 11.20.39 am.png" style="width: 313px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51808i05E0FCF802AB7251/image-dimensions/313x120/is-moderation-mode/true?v=v2" width="313" height="120" role="button" title="Screenshot 2023-07-20 at 11.20.39 am.png" alt="Screenshot 2023-07-20 at 11.20.39 am.png" /></span></SPAN></P> <P>For more information on Indicator Extraction, refer -&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Indicator-Extraction" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Indicator-Extraction</A></P> Thu, 20 Jul 2023 01:32:19 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/splunk-notable-hash/m-p/550110#M2356 jfernandes1 2023-07-20T01:32:19Z