Splunk Phantom
Highlighted

Recommendations for naming conventions and organization of playbooks in Phantom?

Engager

I'm very new to Phantom. Can someone provide some guidance or advice for naming playbooks and what has worked or hasn't worked? We will be starting with a small team that may grow larger working on various playbooks for the SOC.

I come from a coding background so I'm trying to keep things organized and consistent. I've typically used a folder structure to organize files, but it doesn't appear that this can be done. I see there are other fields we can use, but I'm not sure if we should use these fields for organization for the development of playbooks. There are labels, tags, categories, and Repo's.

Anyway, can some experts out there provide some guidance or share your naming conventions and what other fields you're using?

I was thinking of something like the following for playbook names:

usage_dataType_app_description

usage: Who is using it, is this a playbook for the SOC to use or a playbook that's used just by other playbooks to call apps and return data.
dataType: Is this for Emails, Web, URL, Files, etc.
app: What app this is calling or what we're connecting to (LDAP, API, etc).
description: Short, few word description like UrlAnalysis.

Thanks, guys.

Labels (2)
0 Karma
Highlighted

Re: Recommendations for naming conventions and organization of playbooks in Phantom?

Path Finder

I highly recommend naming your playbooks concisely based on what they are intended to do at a high level. The primary reason that I suggest this is that within the mission control view, you have a limited width for displaying the playbooks execution history. If you prepend playbook names with a lot of metadata you end up only seeing a truncated version of the playbook name in the activity pane and that truncated detail ends up giving you no context for what the playbook actually did.

I highly suggest using the name of the playbook as simply a high level description of what the playbook does ie "Infected Workstation Remediation". You can use the description field in the playbook to add a detailed description of how it accomplishes that. Tags are very effectively used to demonstrate teams that are using it as well as object types that are used in it.

As of 4.5 (I think) your playbook listing provides you apps , actions, assets, and playbooks used so you don't need to specify that content in the name.

Attempting to keep this kind of data in a playbook name can be exceedingly problematic since this metadata will change over time and you will have to update playbook names which in turn requires wiki documentation to be updated, and phantom calls to sub-playbooks to be updated, etc. The fewer changes you have to make to top level playbook names over time, the less trouble it will cause you.

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.