SPL Command:
| xsoarsearch --date_range_by_to <time_unit> --date_range_by_from <time_unit> --date_range_to_value <value> --date_range_from_value <value> --exclude_fields <fields>
Description:
Command allows you to search for incidents in Cortex XSOAR directly from Splunk. This command integrates Splunk with Cortex XSOAR, enabling seamless incident analysis. You can specify search criteria to pull incidents by time.
Example:
| xsoarsearch --date_range_by_to hours --date_range_by_from hours --date_range_to_value 0 --date_range_from_value 1 --exclude_fields labels
Comment:
--exclude_fields will always exclude Cortex XSOAR context labels.
Splunk Macro:
Macro Name: xsoar_incidents(2)
Arguments:
1. date_range_by_from
2. date_range_from_value
Definition:
| xsoarsearch --date_range_by_to hours --date_range_by_from $date_range_by_from$ --date_range_to_value 0 --date_range_from_value $date_range_from_value$ --exclude_fields labels
The dashboard replicates the default Cortex XSOAR Incident Dashboard and is designed to provide a baseline and a starting point for further per-customer requirements. The dashboard's base search uses the cortex_xsoar_incidents
KV store. This KV store is populated and updated continuously by two scheduled searches: one for retrospective data updates (daily updates) and one for real-time (hourly updates) data updates.
A few considerations arise from this setup. To ensure the dashboard reflects the latest data, you can manually execute the hourly search. If you need to verify that retrospective data is fully synchronized with the SOAR database, manually execute the daily search.
If additional panels with custom fields are required, you can easily extend the dashboard's capabilities by adding more fields to the KV store and modifying both scheduled searches accordingly. This flexibility allows the dashboard to be tailored to specific needs while maintaining a consistent and up-to-date view of Cortex XSOAR incidents.
For support, you can contact:
- Tudor Pascaru via LinkedIn: https://www.linkedin.com/in/tudor-pascaru-75141398
Splunk SDK Update: Updated the Splunk SDK for Python to version 2.1.0 to enhance compatibility, performance, and security.
| xsoarsearch Command Update: Updated the parameters for the xsoarsearch
command to improve flexibility and user control over query execution.
Macro Update: Modified the configuration of macros to optimize functionality and enhance ease of use.
Saved Searches Update: Implemented changes to saved searches to improve performance and support additional query options.
Saved Searches Update: Modified the README document.
Compatibility Fix - Fixed an incompatibility issue affecting some Victoria (Splunk Cloud) customers.
Splunk SDK Update: Updated the Splunk SDK for Python to version 2.0.2 to enhance compatibility, performance, and security.
This release includes enhanced compatibility with Splunk Cloud.
Requires communication between servers secured with SSL encryption using a certificate.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.