Splunk SOAR (f.k.a. Phantom)

Recommendations for naming conventions and organization of playbooks in Phantom?

willhart802
Engager

I'm very new to Phantom. Can someone provide some guidance or advice for naming playbooks and what has worked or hasn't worked? We will be starting with a small team that may grow larger working on various playbooks for the SOC.

I come from a coding background so I'm trying to keep things organized and consistent. I've typically used a folder structure to organize files, but it doesn't appear that this can be done. I see there are other fields we can use, but I'm not sure if we should use these fields for organization for the development of playbooks. There are labels, tags, categories, and Repo's.

Anyway, can some experts out there provide some guidance or share your naming conventions and what other fields you're using?

I was thinking of something like the following for playbook names:

usage_dataType_app_description

usage: Who is using it, is this a playbook for the SOC to use or a playbook that's used just by other playbooks to call apps and return data.
dataType: Is this for Emails, Web, URL, Files, etc.
app: What app this is calling or what we're connecting to (LDAP, API, etc).
description: Short, few word description like UrlAnalysis.

Thanks, guys.

Labels (2)
0 Karma

Not_Greg
SplunkTrust
SplunkTrust

Our naming Convention:

(Prod/Development/Depracated) - (Utility / Reporting / Enhancement)  - (Active / null) - (Notable Name / Description)

So
PRD-UTL-Active-SplunkES Ack
or
DEV-RPT-Threat Malware Emailed to Users

0 Karma

phantom_mhike
Path Finder

I highly recommend naming your playbooks concisely based on what they are intended to do at a high level. The primary reason that I suggest this is that within the mission control view, you have a limited width for displaying the playbooks execution history. If you prepend playbook names with a lot of metadata you end up only seeing a truncated version of the playbook name in the activity pane and that truncated detail ends up giving you no context for what the playbook actually did.

I highly suggest using the name of the playbook as simply a high level description of what the playbook does ie "Infected Workstation Remediation". You can use the description field in the playbook to add a detailed description of how it accomplishes that. Tags are very effectively used to demonstrate teams that are using it as well as object types that are used in it.

As of 4.5 (I think) your playbook listing provides you apps , actions, assets, and playbooks used so you don't need to specify that content in the name.

Attempting to keep this kind of data in a playbook name can be exceedingly problematic since this metadata will change over time and you will have to update playbook names which in turn requires wiki documentation to be updated, and phantom calls to sub-playbooks to be updated, etc. The fewer changes you have to make to top level playbook names over time, the less trouble it will cause you.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...