Splunk SOAR (f.k.a. Phantom)

How to run a playbook triggered by a Windows service information stopping?



Here is my scenario:

There are many Windows servers where the Windows service information is flowing to my Splunk enterprise. There is also a Phantom instance available.

I would like to run a playbook on phantom once a given service’s status is “stopped”.

Would you please share me if there a documentation or sample playbook to achieve it.



Labels (3)
0 Karma


@barisaydogmusog there is a WINRM app that would allow you to either run a command/script on the endpoint side. (https://my.phantom.us/4.9/docs/app_reference/phantom_winrm)

1. You will need the Splunk alert to check for failed/stopped services and send an alert through to Phantom with the service name/other information to help the script/command, such as the hostname etc. 
2. Build a playbook against the label that these events come in as that will use the information in the event to build the command or provide necessary arguments to the script and run the action(s). 

I have not used the above app myself but looking through the docs, it looks like it will provide the capability you require. 
Also take a look through the community playbooks and see if there is any examples that are similar to your use case.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...