topic custom status update for notable event using phantom playbook in Splunk SOAR

custom status update for notable event using phantom playbook

kvswathi — Sun, 07 Jun 2020 17:46:15 GMT

Hi All,

I have to update the notable event status using phantom. But the status are custom created ones , not the default status available in splunk app for phantom so its is throwing error in playbook "invalid status"

Can any one have a suggestion here to update the custom status.

Re: custom status update for notable event using phantom playbook

sam_splunk — Mon, 26 Aug 2019 15:57:26 GMT

This is not yet supported but a feature request is in place (at the time of this writing).

Re: custom status update for notable event using phantom playbook

kvswathi — Tue, 27 Aug 2019 05:26:51 GMT

Thank you for the update

Re: custom status update for notable event using phantom playbook

cblumer_splunk — Wed, 30 Sep 2020 02:00:46 GMT

The HTTP App for Phantom can be used to perform a POST request to the Splunk ES API to change the status of a Notable Event to any custom status you may have defined:

https://my.phantom.us/4.5/docs/app_reference/phantom_http#post-data
https://docs.splunk.com/Documentation/ES/5.3.0/API/NotableEventAPIreference

You will want to use the ID value of the custom status defined in revewstatuses.conf:

"A status ID matching a status in reviewstatuses.conf. Only required if you are changing the status of the event."

Re: custom status update for notable event using phantom playbook

ansusabu — Thu, 31 Oct 2019 07:35:31 GMT

Since the feature is not implemented yet, you can use the below query to update custom status for the notable in Splunk from Phantom.

| makeresults | eval rule_id="<id>", status="<custom status>", comment="<enter comment here>", owner="<owner name>", user="<owner name>" , event_id="<id>", time="<time>" , rule_name="<rule name>", urgency="<urgency>"| table comment event_id owner rule_id rule_name status time urgency user | outputlookup append=true incident_review_lookup