Artifacts

Fetches artifacts from Splunk SOAR for security operations and incident tracking.

Sync Type: Incremental Synchronisation

Requirements

Before configuring this input, you need:

1. A Splunk SOAR Instance — An active Splunk SOAR deployment with network access from Monad.

2. Create an Auth Token — To generate a Splunk SOAR authentication token:

   • Log in to your Splunk SOAR instance
   • Navigate to Administration → User Management → Users
   • Click on your user account
   • Select the Token tab
   • Click Create New Token
   • Copy the generated token and securely store it

Details

Monad retrieves artifacts from Splunk SOAR incrementally using the update_time field to track which artifacts have been modified since the last sync. On the first run, all artifacts are fetched. On subsequent runs, only artifacts updated after the LastArtifactUpdateTime cursor position are retrieved.

Data Retrieval Flow

1. Calls GET /rest/artifact with query parameters:
   • sort=update_time and order=asc (ascending order by update time)
   • page=0 and page_size=200 (200 records per page)
   • _filter_update_time__gt filter on subsequent runs (RFC3339 formatted timestamp)
2. Processes all artifacts in the data array and emits each as a separate record
3. Paginates using the page parameter and num_pages from the response
4. After processing all pages, checkpoints the maximum update_time seen across all artifacts
5. On the next run, uses the checkpointed LastArtifactUpdateTime to skip artifacts not modified since the last sync

Configuration

The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.

Settings

Setting	Type	Required	Description
Base URL	string	Yes	Base URL of the Splunk SOAR instance (e.g., https://soar.example.com). Must start with http:// or https://.
Cron	string	Yes	Standard cron expression for scheduling when this input runs.

Secrets

Secret	Type	Required	Description
Auth Token	string	Yes	Splunk SOAR authentication token. Sent as the ph-auth-token request header.

Rate Limits

Scope	Limit	Window	Notes
API Requests	10	Per second	Conservative limit; Splunk SOAR does not publicly document exact REST API rate limits

Source: Conservative estimate based on typical enterprise API rate limiting practices.

Related Articles

• Splunk SOAR Query Data REST API
• Splunk SOAR Artifacts API Reference

Sample Record

{
    "cef": {
        "baseEventCount": "293",
        "destinationPort": "33696",
        "dst": "200.196.127.56",
        "fileHash": "67dc201e-51f8-affb-b90b-4461636b8ff8",
        "sourceAddress": "10.191.112.214",
        "sourcePort": "29812",
        "startTime": "2026-04-28T14:03:47Z"
    },
    "cef_types": {},
    "container": 92,
    "create_time": "2026-04-28T14:03:47Z",
    "end_time": "2026-04-28T14:03:47Z",
    "has_note": true,
    "hash": "0a2e9917-e68e-92e2-09ab-7d54fc3a6891",
    "id": 1463,
    "in_case": true,
    "label": "network",
    "severity": "high",
    "source_data_identifier": "7367",
    "start_time": "2026-04-28T14:03:47Z",
    "tags": [],
    "type": "process",
    "update_time": "2026-04-28T14:03:47Z",
    "version": 1
}