Splunk SOAR (f.k.a. Phantom)

How to run a playbook triggered by a Windows service information stopping?



Here is my scenario:

There are many Windows servers where the Windows service information is flowing to my Splunk enterprise. There is also a Phantom instance available.

I would like to run a playbook on phantom once a given service’s status is “stopped”.

Would you please share me if there a documentation or sample playbook to achieve it.



Labels (3)
0 Karma


@barisaydogmusog there is a WINRM app that would allow you to either run a command/script on the endpoint side. (https://my.phantom.us/4.9/docs/app_reference/phantom_winrm)

1. You will need the Splunk alert to check for failed/stopped services and send an alert through to Phantom with the service name/other information to help the script/command, such as the hostname etc. 
2. Build a playbook against the label that these events come in as that will use the information in the event to build the command or provide necessary arguments to the script and run the action(s). 

I have not used the above app myself but looking through the docs, it looks like it will provide the capability you require. 
Also take a look through the community playbooks and see if there is any examples that are similar to your use case.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...