Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Phantom Error Reporting- How to monitor the execution of a Phantom Playbook

ss008i
Engager
‎06-22-2022 08:29 AM

Hello,

I am trying to find a native solution in order to monitor the execution of a Phantom Playbook. In case one of the actions fail, or a specific message/data is returned by a custom function, does anyone a possibility to make a general/native configuration, so that an admin will receive an instant email message with the error/playbook that ran/ etc?

I am aware of the api 'error' and 'discontinue' methods, but it will mean to add this kind of checks at each step of the playbook ...

Greatly appreciate your ideas!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎06-22-2022 08:37 AM

@ss008i 

If you need instant then you will need to bake it into the playbook logic by checking the "status" output in a decision block after the action/function (you need to configure status output in function), and then "do something" if it fails. Worth doing for most actions anyway as best practise although I appreciate it may be time consuming, it's worth it in the long run. 

Another option is to have a playbook scheduled to run every x mins that uses REST to search for all action failures and then provide a report. 

action_run with filtering (/rest/action_run?_filter_status="failed") could be used for actions. Also consider a time and page limit on the rest call so you don't dedup. Options for filtering are here: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTQueryData 


action run REST docs: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTRunAction 

Custom functions are a bit harder as they don't report a status per playbook run so really you would need to handle the status output in a playbook for them, or turn them into app actions so the status output can be used. 

If this helped, please feel free to add karma and/or mark as a solution. 

Happy SOARing!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎06-22-2022 08:37 AM

@ss008i 

If you need instant then you will need to bake it into the playbook logic by checking the "status" output in a decision block after the action/function (you need to configure status output in function), and then "do something" if it fails. Worth doing for most actions anyway as best practise although I appreciate it may be time consuming, it's worth it in the long run. 

Another option is to have a playbook scheduled to run every x mins that uses REST to search for all action failures and then provide a report. 

action_run with filtering (/rest/action_run?_filter_status="failed") could be used for actions. Also consider a time and page limit on the rest call so you don't dedup. Options for filtering are here: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTQueryData 


action run REST docs: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTRunAction 

Custom functions are a bit harder as they don't report a status per playbook run so really you would need to handle the status output in a playbook for them, or turn them into app actions so the status output can be used. 

If this helped, please feel free to add karma and/or mark as a solution. 

Happy SOARing!

0 Karma
Reply
Solved! Jump to solution

ss008i
Engager
‎06-29-2022 01:31 AM

Thank you @phanTom - looks pretty much in line with what I expected - I will go with a hybrid version and use both sides of the solutions you mentioned. Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...