Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Disable Active Playbook from Automatically Running When Artifact Added

stauff
Explorer
‎02-03-2021 04:22 PM

Hello All!  I'm trying to figure out how to stop an active playbook from auto running when an artifact is added to a case via the GUI.  I can't seem to find any documentation or option to turn this functionality off.  Is there a setting for this?  Or do I need to add logic to my playbook so it cancels itself if it has already been run on the current container?

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎02-04-2021 01:25 AM

@stauff there are a few ways to stop this, my main preference is only adding artifacts via methods where you can stipulate run_automation = False. The 3 ways this is possible at the moment are:

  • REST Call to add artifact and set run_automation to False Artifact REST Docs 
  • Use the Phantom Phantom app's add_artifact call and untick the run_automation option
  • Use the extract_ioc action in the Parser app and untick the run_automation 

The issue is that if you add manually to a container then it will NOT provide this option so in this case it would be best to add a tag to the event to state it's been "processed" already and then have a decision at the beginning that looks for that tag and ends if it exists. This can get messy in the activity pane if you are adding a lot manually but will work. 

Personally I would recommend controlling the addition of artifacts by a playbook, maybe with a prompt for artifact info and then use REST or the add_artifact to add the data with the run_automation set to False. 

Hope this helped? If so please upvote.

View solution in original post

Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎02-04-2021 01:25 AM

@stauff there are a few ways to stop this, my main preference is only adding artifacts via methods where you can stipulate run_automation = False. The 3 ways this is possible at the moment are:

  • REST Call to add artifact and set run_automation to False Artifact REST Docs 
  • Use the Phantom Phantom app's add_artifact call and untick the run_automation option
  • Use the extract_ioc action in the Parser app and untick the run_automation 

The issue is that if you add manually to a container then it will NOT provide this option so in this case it would be best to add a tag to the event to state it's been "processed" already and then have a decision at the beginning that looks for that tag and ends if it exists. This can get messy in the activity pane if you are adding a lot manually but will work. 

Personally I would recommend controlling the addition of artifacts by a playbook, maybe with a prompt for artifact info and then use REST or the add_artifact to add the data with the run_automation set to False. 

Hope this helped? If so please upvote.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...