Splunk SOAR (f.k.a. Phantom)

How to run a Phantom playbook from a Splunk dashboard

AlexBryant
Path Finder

I have a Phantom playbook that will take security-related actions on any arbitrary host on my network. These actions might need to be taken at any time of day, on weekends, holidays, etc., so I need to make sure any member of my 24/7 security operations center can run the playbook. I'm looking for a way they can initiate the playbook without explicitly logging into Phantom.

Is there a way that a Splunk dashboard can start a Phantom playbook, after accepting the information required for that playbook (hostname, user ID assigned to that host, etc.)?

 

Labels (1)
Tags (1)
0 Karma

carl72086
Explorer

Hi Alex,

Yes it is possible as indicated in the above post, you need to use rest calls.

I have done this by creating a python script to(create containers / run playbooks etc...)


Just curious why does it needs to be run this way? I'm just thinking that it might be more of a overhead to manually input details, including identifying which Phantom container where the playbook will run...


Just my 2 cents, If you are 100% sure you want to run playbooks on specific scenarios, you can probably design this playbook to run against a specific label, and design it to automatically get details on a the container (e.g. destinationHostName) and automatically trigger an action against that (e.g. get triage / contain). That way, there's no need for manual intervention...

 

Cheers,

Carl

0 Karma

phanTom
SplunkTrust
SplunkTrust

@AlexBryant You could use a REST call initiated from a Splunk dashboard to either create a a container with a label that will drive automation, or call a playbook on Phantom against an existing Phantom event. It would likely need the an app for Splunk to perform the REST calls and then an automation account on Phantom to connect and create/run what you need. 

There are probably a few ways to do this but the above is a high-level idea of how it "could" work. 

Hope this helped. 
Docs for REST call requirements: https://docs.splunk.com/Documentation/Phantom/4.9/PlatformAPI/Using 


0 Karma