Splunk SOAR (f.k.a. Phantom)

How to run a playbook triggered by a Windows service information stopping?



Here is my scenario:

There are many Windows servers where the Windows service information is flowing to my Splunk enterprise. There is also a Phantom instance available.

I would like to run a playbook on phantom once a given service’s status is “stopped”.

Would you please share me if there a documentation or sample playbook to achieve it.



Labels (3)
0 Karma


@barisaydogmusog there is a WINRM app that would allow you to either run a command/script on the endpoint side. (https://my.phantom.us/4.9/docs/app_reference/phantom_winrm)

1. You will need the Splunk alert to check for failed/stopped services and send an alert through to Phantom with the service name/other information to help the script/command, such as the hostname etc. 
2. Build a playbook against the label that these events come in as that will use the information in the event to build the command or provide necessary arguments to the script and run the action(s). 

I have not used the above app myself but looking through the docs, it looks like it will provide the capability you require. 
Also take a look through the community playbooks and see if there is any examples that are similar to your use case.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...