Hey folks, Did anyone ever faced a challenge on having hundreds of thousands of events stuck in phantom_retry kv store that are aged enough? I see in the logs that quite often Splunk complains about the size of phantom_retry and I would like to see/clean up that queue and move on from there. Any idea? I looked over the documents and there is no instruction on that matter. Also, if I do "| inputlookup phantom_retry_lookup" it returns nothing. Using the lookup editor app I can only see this empty as well. Any clue? Thanks! ... View more

Hi guys, I'm trying to isolate what is being responsible for most of the data size on phantom. My data/db/base folder is huge and it keeps growing even though the logging level is really low and the vault is not something that I often use. /opt/phantom/data]$ du -hsx * | sort -rh | head -10 | grep db 2.6T db Is there any way for me to query and see what is consuming much space and maybe delete some old stuff? I know that Phantom has those scripts to remove containers and etc but I personally don't think containers are the bad guys in this context, and the way it is I don't have like double the space available to do a Vacuum if I delete them all. Thanks! ... View more

Hi folks, I'm evaluating a situation related to enabling SAML auth on SOAR but earlier I was using local accounts. Because of that, objects like assets, playbooks, etc are currently tied to the local user ids, and SAML users have different user ids. I'm looking for ideas on how to update that ownership from local to SAML new user id in order to have the users still owning those objects after changing their login type. Or, another option but that will be unlikely to be something doable, but if I could have the SAML login to use the same user id as the local (like one replace the other) would also be interesting to explore. ... View more

Hi folks, We've been using Phantom for a while now and currently implementing SAML integration. The concerning part is that the objects (assets, playbooks, permissions...) are set to ids instead of usernames, so logins via SAML generates new user ids, and we have to remap those objects form that particular local user to the current SAML user id. Is there any way to do that via REST or did anyone ever built a playbook to make that change? My idea is to rename the local users appending a "_local" to the username and ask the users to login via SSO, then have a routine that identifies SAML username = local username +"_local" and move the objects from this local id to the new SAML id. Doable? ... View more

Hi guys, I'm trying to control whenever I have to send an event to ServiceNow or not, and that's what I've done so far. Basically, I need to check if the query results exceed a threshold. If it does, I need to update a lookup with that value and run a snoweventstream command with severity > 0. If the result is below the threshold, I need to do the same update in the lookup with that value and run a snoweventstream command with severity = 0. Have any of you guys already done something similar and do you have some ideas on how I can perform that? This is basically a draft of what it would be (in a high level): eval lastStatus=(subsearch inputlookup x.csv | get status where alert_name = something) MyQuery if fieldA > 10 then if (lastStatus == 0) then append x.csv fieldB, fieldC, 1 AND eval alerted=(subsearch that eval some fields and trigger snoweventstream command with severity 1) else if (lastStatus == 1) then append x.csv fieldB, fieldC, 0 AND eval alerted=(subsearch that eval some fields and trigger snoweventstream command with severity 0) Thank you in advance! ... View more