Splunk Enterprise Security

Phantom - Assign Container/Case to Self - Playbook

jamolson
Path Finder

I am working on automating some minor things and I want to add in a step to have the playbook assign the container or case to the user running the playbook.
I am currently using a rest call to get the last user who opened the current item but there are some issues with this.

Does anyone know if there is a more specific call to get the current user value in Phantom like Splunk can with

| rest /services/authentication/current-context
| table username

0 Karma
1 Solution

1549359
Engager

have used something like below in the playbook for the same

playbook_info = phantom.get_playbook_info()
phantom.set_owner(container, playbook_info[0]['effective_user_id']),I have used something below in my playbook. 

playbook_info = phantom.get_playbook_info()
phantom.set_owner(container, playbook_info[0]['effective_user_id'])

View solution in original post

0 Karma

1549359
Engager

have used something like below in the playbook for the same

playbook_info = phantom.get_playbook_info()
phantom.set_owner(container, playbook_info[0]['effective_user_id']),I have used something below in my playbook. 

playbook_info = phantom.get_playbook_info()
phantom.set_owner(container, playbook_info[0]['effective_user_id'])

0 Karma

jamolson
Path Finder

Thank you very much, this is perfect.

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...