To create and activate a Normalize Artifact Playbook, perform the following procedure.

Prerequisites

Grant Artifact Permissions to the Automation User

Procedure

  1. Open the Splunk SOAR console.
  2. In the left navigation bar, click Playbooks.
  3. Drag and release the blue node to get started. Select Action.

    Add action to a playbook

  4. From the Available Apps menu, select Carbon Black Cloud.
  5. From the Available Actions menu, select normalize artifact.
  6. From the Available Assets menu, select an asset.
    Note: Polling on the asset must be disabled.
  7. Map two input parameters:
    1. Map raw to artifacts > _raw.
    2. Map artifact_id to the id field of the artifact headers.
  8. Drag the blue node to the END block. Enter the name of the playbook in the corresponding field.

    Playbook taken to END block

  9. Click Save.
  10. Enter a comment to save the playbook. Click Save.
  11. Go to the Playbooks page. In the Status column, set the status of the playbook to Active.

    Set the playbook to active from the dropdown menu