Splunk Enterprise Security

Phantom - Assign Container/Case to Self - Playbook

jamolson
Path Finder

I am working on automating some minor things and I want to add in a step to have the playbook assign the container or case to the user running the playbook.
I am currently using a rest call to get the last user who opened the current item but there are some issues with this.

Does anyone know if there is a more specific call to get the current user value in Phantom like Splunk can with

| rest /services/authentication/current-context
| table username

0 Karma
1 Solution

1549359
Engager

have used something like below in the playbook for the same

playbook_info = phantom.get_playbook_info()
phantom.set_owner(container, playbook_info[0]['effective_user_id']),I have used something below in my playbook. 

playbook_info = phantom.get_playbook_info()
phantom.set_owner(container, playbook_info[0]['effective_user_id'])

View solution in original post

0 Karma

1549359
Engager

have used something like below in the playbook for the same

playbook_info = phantom.get_playbook_info()
phantom.set_owner(container, playbook_info[0]['effective_user_id']),I have used something below in my playbook. 

playbook_info = phantom.get_playbook_info()
phantom.set_owner(container, playbook_info[0]['effective_user_id'])

0 Karma

jamolson
Path Finder

Thank you very much, this is perfect.

0 Karma
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques

Hello! We are excited to kick off a new series of blogs from SplunkTrust member ITWhisperer, who demonstrates ...

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...