Splunk SOAR (f.k.a. Phantom)

Disable Active Playbook from Automatically Running When Artifact Added

stauff
Explorer

Hello All!  I'm trying to figure out how to stop an active playbook from auto running when an artifact is added to a case via the GUI.  I can't seem to find any documentation or option to turn this functionality off.  Is there a setting for this?  Or do I need to add logic to my playbook so it cancels itself if it has already been run on the current container?

Labels (2)
Tags (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@stauff there are a few ways to stop this, my main preference is only adding artifacts via methods where you can stipulate run_automation = False. The 3 ways this is possible at the moment are:

  • REST Call to add artifact and set run_automation to False Artifact REST Docs 
  • Use the Phantom Phantom app's add_artifact call and untick the run_automation option
  • Use the extract_ioc action in the Parser app and untick the run_automation 

The issue is that if you add manually to a container then it will NOT provide this option so in this case it would be best to add a tag to the event to state it's been "processed" already and then have a decision at the beginning that looks for that tag and ends if it exists. This can get messy in the activity pane if you are adding a lot manually but will work. 

Personally I would recommend controlling the addition of artifacts by a playbook, maybe with a prompt for artifact info and then use REST or the add_artifact to add the data with the run_automation set to False. 

Hope this helped? If so please upvote.

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@stauff there are a few ways to stop this, my main preference is only adding artifacts via methods where you can stipulate run_automation = False. The 3 ways this is possible at the moment are:

  • REST Call to add artifact and set run_automation to False Artifact REST Docs 
  • Use the Phantom Phantom app's add_artifact call and untick the run_automation option
  • Use the extract_ioc action in the Parser app and untick the run_automation 

The issue is that if you add manually to a container then it will NOT provide this option so in this case it would be best to add a tag to the event to state it's been "processed" already and then have a decision at the beginning that looks for that tag and ends if it exists. This can get messy in the activity pane if you are adding a lot manually but will work. 

Personally I would recommend controlling the addition of artifacts by a playbook, maybe with a prompt for artifact info and then use REST or the add_artifact to add the data with the run_automation set to False. 

Hope this helped? If so please upvote.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...