Solved: How to Read Comments in Playbooks

SOARt_of_Lost · ‎09-06-2023

With SOAR 6.1's addition of the "Run automatically when" field, it would be great to be able to run a playbook on container resolution that can read the closure comment. Bonus points if you can explain why Comment data is separate from Event data in the export while notes aren't.

SOARt_of_Lost · ‎10-18-2023

You can read the comments on a container by using the the API in a code or custom function block.

comment_url = phantom.build_phantom_rest_url('container', container_id, 'comments')

comment_resp_json = phantom.requests.get(comment_url, verify=False).json()

if comment_resp_json.get('count', 0) > 0:
    phantom.debug(comment_resp_json)

You can then parse the comments to your heart's content.

View solution in original post

SOARt_of_Lost · ‎10-18-2023

You can read the comments on a container by using the the API in a code or custom function block.

comment_url = phantom.build_phantom_rest_url('container', container_id, 'comments')

comment_resp_json = phantom.requests.get(comment_url, verify=False).json()

if comment_resp_json.get('count', 0) > 0:
    phantom.debug(comment_resp_json)

You can then parse the comments to your heart's content.

How to Read Comments in Playbooks

development

using SOAR ⁄ Phantom

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk