Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Run playbook on specific tag events

meshorer
Path Finder
‎01-18-2024 02:13 PM

Hello all,

is there a way to automate playbook to work only on events with specific tag?

I saw in playbook settings an option to choose tag but it stills run on every event

thank you in advance 

@phanTom 

@SOARt_of_Lost 

Labels (1)
Labels
Reply

jenniandthebets
Explorer
‎01-19-2024 06:19 AM

So there's a couple ways you could approach this:

1. Less elegant solution - you can add in a decision/filter block to the existing playbook that runs every time to check for the tag. If the tag matches continue, otherwise, end the playbook.

2. If you truly don't want the playbook to run at all, I think you'll need to make a parent playbook with a decision or filter, and call the subplaybook from there. The parent playbook will still run on all events with the label, but the playbook you want to run wouldn't run at all.

I added on the screenshot for the datapath you'd need to match the container tags.

Preview file
14 KB
Reply

meshorer
Path Finder
‎01-21-2024 12:21 PM

thank you for your answer, @jenniandthebets 

 

I did not want the playbook to run at at all but I see that there is no way out of it.

if that is the case, why is there an option to choose tags when creating a playbook?

2. as for the datapath, I believe the filter should be [in] and not "==".

anyway it did not work well for me all the time, I found that if I first create a simple code block that only gets the "container:tags" as input at outputs it as a variable, only then the filter works well.

am I the only one it happens to?

 

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎01-22-2024 01:52 AM

@meshorer <tag name> is in container:tags should work. The tag name is case sensitive and has to be exact match. 

0 Karma
Reply

Carloszavala121
Explorer
‎01-18-2024 03:36 PM

Carloszavala121_0-1705620893903.png

Here I show you the example of where to put the name of your label

Reply

Carloszavala121
Explorer
‎01-18-2024 03:33 PM

Hello, to be able to use a specific label, when creating your flow you have to click on the automation option, within the environment to create the flow you have to click on settings and in the operates on section enter the label name, like this flow when active will only be executed with alerts that have this label

0 Karma
Reply

meshorer
Path Finder
‎01-18-2024 07:39 PM

thank you @Carloszavala121   but I am not talking about labels, I am talking about tags. 
for me the labels with the “operate on” is great as I use a label called offense.

but within the offense label, I categorize my offenses to tags. And there is an playbook that I want to automate to specific offenses with that tag

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...