Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to schedule a Phantom playbook to run at specific intervals?

AlexBryant
Path Finder
‎12-03-2019 10:21 AM

I have completed Phantom playbook that I need to run every 5 minutes. I know that the Timer app can be used to schedule playbook execution by generating events on a preset schedule, but how would a set up two separate schedules for two separate playbooks - say, one that runs every 5 minutes and one that runs hourly? Do I set up two Timer assets and somehow add identifying characteristics to differentiate the events that each asset will generate?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phantom_mhike
SplunkTrust
SplunkTrust
‎12-03-2019 10:59 AM

In the past I have created timers for these that generate containers and each of the timer assets apply a label to the containers that indicate their schedule ie. "scheduled-hourly" for a timer that generates every hour or "scheduled-daily", "scheduled-5min" etc. The different labels make it easy to apply playbooks to them as well as identify where the containers came from when looking at the analyst queue.

View solution in original post

Reply
Solved! Jump to solution
Solution

phantom_mhike
SplunkTrust
SplunkTrust
‎12-03-2019 10:59 AM

In the past I have created timers for these that generate containers and each of the timer assets apply a label to the containers that indicate their schedule ie. "scheduled-hourly" for a timer that generates every hour or "scheduled-daily", "scheduled-5min" etc. The different labels make it easy to apply playbooks to them as well as identify where the containers came from when looking at the analyst queue.

Reply
Solved! Jump to solution

AlexBryant
Path Finder
‎12-04-2019 08:26 AM

That worked! It took a few minutes to figure out how to implement it, so I'll post the details for others. Go into Administration --> Event Settings --> Label Settings. Add a new label with a meaningful name like "timer_5_minutes". In the Timer app, add a new asset, and in the ingest settings, set it to run on the appropriate schedule (in this case, every 5 minutes), and set the 'Label To Apply' to be the label added above in administration. Now, there's an asset in Timer that will run every 5 minutes and create an event called timer_5_minutes. In your playbook settings, set the "Operates On" value to also be "timer_5_minutes"...the playbook will now run every time the Timer app creates one of these events, and will execute according to your schedule.

Reply
Solved! Jump to solution

satishclarios
New Member
‎05-28-2020 08:44 AM

@AlexBryant Thank you for detail explanation

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...