Splunk SOAR (f.k.a. Phantom)

How do I get a phantom user object from the API?

nhammSplunk
Explorer

What's the api command to get the current logged-in user without specifying the user id. I want to type phantom.get_user() and have the attributes of the logged-in user returned.

Labels (2)
Tags (1)
0 Karma
1 Solution

phantom_mhike
Path Finder

Within the context of a playbook you can use this to get the user that executed the playbook. This is only effective if a user manually executed the playbook, otherwise it will just return the id of the automation user.

user_id = phantom.get_effective_user()

Hopefully that answers your question. Outside of the context of playbook execution, the premise of "the current logged in user" doesn't make any sense. Any number of users could be logged in at any given time.

View solution in original post

phantom_mhike
Path Finder

Within the context of a playbook you can use this to get the user that executed the playbook. This is only effective if a user manually executed the playbook, otherwise it will just return the id of the automation user.

user_id = phantom.get_effective_user()

Hopefully that answers your question. Outside of the context of playbook execution, the premise of "the current logged in user" doesn't make any sense. Any number of users could be logged in at any given time.

DanielEhrlich
Engager

Is there a way to map the id number to the user name?

0 Karma

phanTom
SplunkTrust
SplunkTrust

@DanielEhrlich yes if you pass the ID into /rest/ph_user/<id> it will return a dictionary with all the user information. 

techlord
New Member

Can you point me to documentation for the phantom.get_effective_user() function? From what was stated in the above solution, it seems safe to assume if an ID(number) is returned by phantom.get_effective_user(), then the user running the playbook is an automated user, but would like to get confirmation.

Thanks!

0 Karma

phanTom
SplunkTrust
SplunkTrust

@techlord  the API to use to get a playbooks effective_user inside the playbook is phantom.get_playbook_info()

This then returns a JSON where the 'effective_user' key will be the ID of the user running the playbook. The out-of-the-box automation account is 2 and admin is 1 so any other number would generally relate to an actual user account running the playbook. 

You can have multiple automation accounts but they would only appear with this API if they were used to run the playbook, which is a manual change to the default settings in the playbook settings.

Playbooks can be run under user or automation scope and this API will be able to tell you the ID of the initiator and you can use it for other actions downstream if required, such as dynamically prompting the person who ran the playbook. 

0 Karma

nhammSplunk
Explorer

Thanks! This is exactly what I needed.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...