Has anyone used the Splunk SOAR integration for InsightVM? (note, this is different to the Rapid7 InsightVM Technology Add-On for Splunk). GitHub - splunk-soar-connectors/insightvm
I’ve got it working to a degree. I can connect and pull data, but I’m having trouble getting the syntax right in the playbooks, specifically the filter syntax. For example I can use the “find assets” action to get the ID of an asset based on hostname, but only if I hard code the host-name value.
e.g. this works [{“field”: “host-name”, “operator”: “starts-with”, “value”:“examplehostname”}]
But I’m wanting to use the destinationHostName from the Event: [{“field”: “host-name”, “operator”: “starts-with”, “value”: artifact:*.cef.destinationHostName}] which throws an error: “Error parsing filters. Details: Error Message: Expecting value: line 1 column 61 (char 60)”
Would love if someone could post a working example for the Find Assets and Get Asset Vulnerabilities actions.