topic Cortex XSOAR Context Issue in Cortex XSOAR Discussions

Cortex XSOAR Context Issue

Rawabdeh — Thu, 30 Sep 2021 15:33:17 GMT

Hi Everyone,

I have Cortex XSOAR with SplunkPY running and fetching incidents. I am using Splunk classifier and Splunk incoming mapper by default.

Drill down is being enriched successfully and i can see it parsed at both classifier & mapper stages - see below screenshot

drilldown parsed in classifier&mapper

However, context is not splitting drill down details , It's all coming in one chunk of data and cannot be used in any playbook. - Below screenshot

drilldown nor parsed in context

Any ideas what might be causing this? Is there anywhere else to check that might affect Drilldown parsing in context?

Re: Cortex XSOAR Context Issue

Strunce — Thu, 30 Sep 2021 19:35:32 GMT

I think you have a transform issue.

Look at the following link on YouTube to MOD44's PCSAE - Palo Alto Networks - Certification- Training- Domain 1

Skip ahead to 34:15, I think this will help you.

Re: Cortex XSOAR Context Issue

Rawabdeh — Sun, 03 Oct 2021 08:59:40 GMT

@Strunce thank you for your reply.

This video discusses splitting data at classifier level, but I have that already applied in my classifier & mapper as per the above screenshots. No transformations are present within my classifier or mapper.

I just created a complete new account with fresh installation and integration with a totally different Splunk instance and the same issue persists.

Do you happen to know how data is filled into context and what controls this process? should I dig into automations for pre-processing rules?

Re: Cortex XSOAR Context Issue

ABurt — Mon, 04 Oct 2021 07:57:04 GMT

Hi @Rawabdeh , the fields you are showing (incident -> labels -> drilldown) are not being mapped. By default, each mapper has a couple of fields mapped. The rest of the fields are copied verbatim into the context data under "labels". This setting can be disable (if you wanted to) under the settings of the mapper under Advanced:

All data under the labels will be as presented by the source technology. If you would like the data parsed, you would need to alter the Splunk incoming mapper to map that field.

Do you know how you would like the data presented? As a table perhaps?

Regards

Adam

Re: Cortex XSOAR Context Issue

Rawabdeh — Tue, 05 Oct 2021 14:23:31 GMT

Thank you for your contribution @ABurt

Actually drill down is supposed to look like the first screenshot (I'm using it in my playbooks as Drilldown.[0].Country .[0] >> maps to: Saudi Arabia in the first screenshot)

I have tried checking that box you mentioned and indeed, it stopped throwing all JSON details under incident.labels and I was able to use the custom field (mapped with drilldown values) I created. But that means I have to create a field for each value in each alert coming from Splunk and i don't think that's a feasible solution.

What's confusing me is that context had drill down parsed just the way it's seen in mapper and I built my playbooks based on this format. Out of nowhere it noticed empty data in sub-playbooks and found out about this issue. No changes were applied on any account

Re: Cortex XSOAR Context Issue

ABurt — Tue, 05 Oct 2021 14:28:19 GMT

During the classification and mapping this is generally the way data is processed:

Classification determines what type of incident each new incident creation is created as
Mapping (specifically incoming in this instance) maps all the fields based on the type of incident (or globally)

It looks as if the incoming mapper in screenshot 1 is populating a field named "drilldown" in the incident. This would honour the transformation happening at the mapper (i.e. the parseJSON transformer). The second screenshot, when data ends up in the labels, does not undergo any mapper rules such as the parse JSON.

In the first screenshot, is the "drilldown" appearing in the incident as its own field or is this under the same "labels" as in the second screenshot?

Re: Cortex XSOAR Context Issue

Rawabdeh — Wed, 06 Oct 2021 11:59:00 GMT

@ABurt This is exactly what's happening, context is not picking up this exact JSON parser.

Drill down is coming under label as shown in this screenshot

Here i say it again, it was all parsed before and i built my playbooks based on these values.

Re: Cortex XSOAR Context Issue

ABurt — Wed, 06 Oct 2021 13:05:53 GMT

Has anything else changed since you built the playbooks. Such as updating XSOAR or any changes to Splunk?

Re: Cortex XSOAR Context Issue

Rawabdeh — Wed, 06 Oct 2021 14:36:59 GMT

That's what I've been trying to find out. the only changes I've made are on playbook inputs and classification. I have no idea how context parsing started behaving like this

Re: Cortex XSOAR Context Issue

Rawabdeh — Wed, 06 Oct 2021 15:06:46 GMT

I have just created 4 fields and mapped their values to drill down details and it's working fine. I know this isn't the best practice to create custom fields for each alert coming from Splunk. This was only for testing purposes.

I can confirm that this isn't related to drill down fetching or mapping. issue is narrowed down to context display i believe.