Splunk SOAR (f.k.a. Phantom)

Recommendations for naming conventions and organization of playbooks in Phantom?


I'm very new to Phantom. Can someone provide some guidance or advice for naming playbooks and what has worked or hasn't worked? We will be starting with a small team that may grow larger working on various playbooks for the SOC.

I come from a coding background so I'm trying to keep things organized and consistent. I've typically used a folder structure to organize files, but it doesn't appear that this can be done. I see there are other fields we can use, but I'm not sure if we should use these fields for organization for the development of playbooks. There are labels, tags, categories, and Repo's.

Anyway, can some experts out there provide some guidance or share your naming conventions and what other fields you're using?

I was thinking of something like the following for playbook names:


usage: Who is using it, is this a playbook for the SOC to use or a playbook that's used just by other playbooks to call apps and return data.
dataType: Is this for Emails, Web, URL, Files, etc.
app: What app this is calling or what we're connecting to (LDAP, API, etc).
description: Short, few word description like UrlAnalysis.

Thanks, guys.

Labels (2)
0 Karma


Our naming Convention:

(Prod/Development/Depracated) - (Utility / Reporting / Enhancement)  - (Active / null) - (Notable Name / Description)

PRD-UTL-Active-SplunkES Ack
DEV-RPT-Threat Malware Emailed to Users

0 Karma

Path Finder

I highly recommend naming your playbooks concisely based on what they are intended to do at a high level. The primary reason that I suggest this is that within the mission control view, you have a limited width for displaying the playbooks execution history. If you prepend playbook names with a lot of metadata you end up only seeing a truncated version of the playbook name in the activity pane and that truncated detail ends up giving you no context for what the playbook actually did.

I highly suggest using the name of the playbook as simply a high level description of what the playbook does ie "Infected Workstation Remediation". You can use the description field in the playbook to add a detailed description of how it accomplishes that. Tags are very effectively used to demonstrate teams that are using it as well as object types that are used in it.

As of 4.5 (I think) your playbook listing provides you apps , actions, assets, and playbooks used so you don't need to specify that content in the name.

Attempting to keep this kind of data in a playbook name can be exceedingly problematic since this metadata will change over time and you will have to update playbook names which in turn requires wiki documentation to be updated, and phantom calls to sub-playbooks to be updated, etc. The fewer changes you have to make to top level playbook names over time, the less trouble it will cause you.

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...