This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cortex XSOAR Context Issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XSOAR Context Issue

Rawabdeh
L1 Bithead

‎09-30-2021 08:25 AM - edited ‎09-30-2021 08:33 AM

 

Hi Everyone, 

I have Cortex XSOAR with SplunkPY running and fetching incidents. I am using Splunk classifier and Splunk incoming mapper by default. 

Drill down is being enriched successfully and i can see it parsed at both classifier & mapper stages - see below screenshot

drilldown parsed in classifier&mapperdrilldown parsed in classifier&mapper

However, context is not splitting drill down details , It's all coming in one chunk of data and cannot be used in any playbook. - Below screenshot

 

drilldown nor parsed in contextdrilldown nor parsed in context

 

Any ideas what might be causing this? Is there anywhere else to check that might affect Drilldown parsing in context?

0 Likes Likes
9 REPLIES 9

ABurt
L3 Networker
In response to Rawabdeh

‎10-05-2021 07:28 AM

During the classification and mapping this is generally the way data is processed:

  1. Classification determines what type of incident each new incident creation is created as
  2. Mapping (specifically incoming in this instance) maps all the fields based on the type of incident (or globally)

 

It looks as if the incoming mapper in screenshot 1 is populating a field named "drilldown" in the incident. This would honour the transformation happening at the mapper (i.e. the parseJSON transformer). The second screenshot, when data ends up in the labels, does not undergo any mapper rules such as the parse JSON.

 

In the first screenshot, is the "drilldown" appearing in the incident as its own field or is this under the same "labels" as in the second screenshot?

0 Likes Likes

Rawabdeh
L1 Bithead
In response to ABurt

‎10-06-2021 04:59 AM

@ABurt  This is exactly what's happening, context is not picking up this exact JSON parser. 

Drill down is coming under label as shown in this screenshot

 

2021-10-06_145147.png

 

Here i say it again, it was all parsed before and i built my playbooks based on these values.

 

0 Likes Likes

ABurt
L3 Networker
In response to Rawabdeh

‎10-06-2021 06:05 AM

Has anything else changed since you built the playbooks. Such as updating XSOAR or any changes to Splunk?

0 Likes Likes

Rawabdeh
L1 Bithead
In response to ABurt

‎10-06-2021 07:36 AM

That's what I've been trying to find out. the only changes I've made are on playbook inputs and classification. I have no idea how context parsing started behaving like this

0 Likes Likes

Rawabdeh
L1 Bithead
In response to ABurt

‎10-06-2021 08:06 AM

I have just created 4 fields and mapped their values to drill down details and it's working fine. I know this isn't the best practice to create custom fields for each alert coming from Splunk. This was only for testing purposes. 

I can confirm that this isn't related to drill down fetching or mapping. issue is narrowed down to context display i believe.

 

Rawabdeh_1-1633532783695.png

 

 

Rawabdeh_0-1633532369929.png

 

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks