How to run a playbook triggered by a Windows servi...

barisaydogmusog · ‎10-05-2020

Hi,

Here is my scenario:

There are many Windows servers where the Windows service information is flowing to my Splunk enterprise. There is also a Phantom instance available.

I would like to run a playbook on phantom once a given service’s status is “stopped”.

Would you please share me if there a documentation or sample playbook to achieve it.

Regards

phanTom · ‎10-07-2020

@barisaydogmusog there is a WINRM app that would allow you to either run a command/script on the endpoint side. (https://my.phantom.us/4.9/docs/app_reference/phantom_winrm)

1. You will need the Splunk alert to check for failed/stopped services and send an alert through to Phantom with the service name/other information to help the script/command, such as the hostname etc.
2. Build a playbook against the label that these events come in as that will use the information in the event to build the command or provide necessary arguments to the script and run the action(s).

I have not used the above app myself but looking through the docs, it looks like it will provide the capability you require.
Also take a look through the community playbooks and see if there is any examples that are similar to your use case.

How to run a playbook triggered by a Windows service information stopping?

administration

development

using Phantom

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!