For details on cookie usage on our site, read our Privacy Policy
Cortex XSOAR Context Issue
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XSOAR Discussions
- Re: Cortex XSOAR Context Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Cortex XSOAR Context Issue
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-30-2021 08:25 AM - edited 09-30-2021 08:33 AM
Hi Everyone,
I have Cortex XSOAR with SplunkPY running and fetching incidents. I am using Splunk classifier and Splunk incoming mapper by default.
Drill down is being enriched successfully and i can see it parsed at both classifier & mapper stages - see below screenshot
However, context is not splitting drill down details , It's all coming in one chunk of data and cannot be used in any playbook. - Below screenshot
Any ideas what might be causing this? Is there anywhere else to check that might affect Drilldown parsing in context?
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-30-2021 12:35 PM
I think you have a transform issue.
Look at the following link on YouTube to MOD44's PCSAE - Palo Alto Networks - Certification- Training- Domain 1
Skip ahead to 34:15, I think this will help you.
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-03-2021 01:59 AM
@Strunce thank you for your reply.
This video discusses splitting data at classifier level, but I have that already applied in my classifier & mapper as per the above screenshots. No transformations are present within my classifier or mapper.
I just created a complete new account with fresh installation and integration with a totally different Splunk instance and the same issue persists.
Do you happen to know how data is filled into context and what controls this process? should I dig into automations for pre-processing rules?
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-04-2021 12:57 AM
Hi @Rawabdeh , the fields you are showing (incident -> labels -> drilldown) are not being mapped. By default, each mapper has a couple of fields mapped. The rest of the fields are copied verbatim into the context data under "labels". This setting can be disable (if you wanted to) under the settings of the mapper under Advanced:
All data under the labels will be as presented by the source technology. If you would like the data parsed, you would need to alter the Splunk incoming mapper to map that field.
Do you know how you would like the data presented? As a table perhaps?
Regards
Adam
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-05-2021 07:13 AM - edited 10-05-2021 07:23 AM
Thank you for your contribution @ABurt
Actually drill down is supposed to look like the first screenshot (I'm using it in my playbooks as Drilldown.[0].Country.[0] >> maps to: Saudi Arabia in the first screenshot)
I have tried checking that box you mentioned and indeed, it stopped throwing all JSON details under incident.labels and I was able to use the custom field (mapped with drilldown values) I created. But that means I have to create a field for each value in each alert coming from Splunk and i don't think that's a feasible solution.
What's confusing me is that context had drill down parsed just the way it's seen in mapper and I built my playbooks based on this format. Out of nowhere it noticed empty data in sub-playbooks and found out about this issue. No changes were applied on any account
- Cortex Domain controllers exceptions in Cortex XDR Discussions
- Outlook stops syncing with Cortex XDR enabled in Cortex XDR Discussions
- USB PRINTER in Cortex XDR Discussions
- Issue while installing XDR on Linux Server in Cortex XDR Discussions
- not able to retrieve Extend Context Output in Cortex XSOAR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
