topic Re: Callback actions on container's status change in Splunk SOAR

Callback actions on container's status change

drew19 — Wed, 05 May 2021 11:46:36 GMT

Hi,

I would like to know if there is the possibility to automatically trigger a playbook when there is a change in the status of a container (e.g. when it becomes "Closed")?

Thank you in advance!

Re: Callback actions on container's status change

phanTom — Mon, 10 May 2021 08:46:13 GMT

@drew19 unfortunately not out of the box. However it could be done, but there would be "some" lag.

Just some ways I can think of:
* Externalise the Splunk data and use SPL to look for a change in container status and send a container to phantom with relevant data to then drive the automation against the original container.

* Persist a list of containers and have a timer app create a container on a schedule to check the list and if any entry changes from x to 'closed' take action and delete the entry from the list.

Hope this helps give you some ideas/possibilities?

Re: Callback actions on container's status change

drew19 — Mon, 10 May 2021 09:13:09 GMT

Hi Tom,

thank you for your answers.

These are the same ideas come into my mind, but they cannot help.

We don't like to create further containers just to close other ones, also considering the fact that we are dealing with tons of containers (we do not want "2xTonsOfContainers").

The same applies for externalization and, moreover, we have a very big external Splunk infrastructure... so to externalize is not trivial.

Probably this is a product limitation 😞

Re: Callback actions on container's status change

phanTom — Mon, 10 May 2021 09:25:55 GMT

@drew19
"We don't like to create further containers just to close other ones, also considering the fact that we are dealing with tons of containers (we do not want "2xTonsOfContainers")."
- The 2xTon stuff could be tackled by sending a list of containers through so only 1 container per xTon of containers. This would rely on your schedule, or in the playbook 'only do stuff if x number of results found, otherwise wait for the next scheduled run'.
- Your example was more 'once closed <do stuff>' but again if you take the list of containers to act upon approach and ensure the new container is closed once it's finished I really don't see the issue when it's going to provide consistent automation activities you are currently doing manually.
- Getting the data into Splunk is simple:
1. Install the Phantom Remote Search App on IDX & SH layer
2. Create HEC Token on HEC reciever (if you don't have one already a HFW will usually do)
3. Put some configuration options into the External Splunk view on Phantom
4. Watch all the lovely data be ingested
4.1 This is a highly recommended capability as the Phantom data is very rich and usable in SPL for either monitoring automation and/or reporting on Phantom utilisation.

You are correct that it's a product limitation, for now ;), but as they are leaning heavily on the Case Management aspects I would expect to see new ways of triggering automation coming in future iterations *wink *wink (forward looking statements apply).

Re: Callback actions on container's status change

drew19 — Mon, 10 May 2021 09:52:24 GMT

@phanTom

what we have to do is simple: when a container is closed we have to trigger an action ("update email") through the Exchange (on-premise) App.

This is not a major feature of our use-case but it would be a "icing on the cake" because it would let us to understand something about an email without logging into Phantom.

Given this, we would like a simple (to develop, test, integrate, test again) solution for such a minor feature.

However, just to evaluate it further, do you know where can I find APIs in order to query for the "status of a set of containers under a certain label"?

Thank you.

Re: Callback actions on container's status change

phanTom — Mon, 10 May 2021 10:35:23 GMT

@drew19
When you send an email automatically you could update a custom list with the container_id & the mail_id and any other useful information for the update action(s). Then on a schedule check the status of each container_id, if closed use to the mail_id to run the update_email action then delete the entry from the list upon success.
This would take a relatively small time to setup and test.

For your other question you need to use REST and hit the 'container' endpoint with some filtering.
<your_phantom_url>/rest/container?_filter_label='"<your_label>"'&page_size=0&sort=id&order=desc

If using the phantom.requests() API you need to set it up like this:

url = phantom.build_phantom_rest_url('container') params = [('_filter_label', '"<label>"'), ('page_size', 0), ('sort', 'id'), ('order', 'desc')] r = phantom.requests.get(url, params=params, verify=False) response = r.json()

verify=False is only if you don't have valid certs on Phantom.

Docs links:
Filtering REST: https://docs.splunk.com/Documentation/Phantom/4.10.3/PlatformAPI/RESTQueryData
Sessions API: https://docs.splunk.com/Documentation/Phantom/4.10.3/PlaybookAPI/SessionAPI