Solved: custom status update for notable event using phant...

kvswathi · ‎05-31-2019

Hi All,

I have to update the notable event status using phantom. But the status are custom created ones , not the default status available in splunk app for phantom so its is throwing error in playbook "invalid status"

Can any one have a suggestion here to update the custom status.

sam_splunk · ‎08-26-2019

This is not yet supported but a feature request is in place (at the time of this writing).

View solution in original post

ansusabu · ‎10-31-2019

Since the feature is not implemented yet, you can use the below query to update custom status for the notable in Splunk from Phantom.

| makeresults | eval rule_id="<id>", status="<custom status>", comment="<enter comment here>", owner="<owner name>", user="<owner name>" , event_id="<id>", time="<time>" , rule_name="<rule name>", urgency="<urgency>"| table comment event_id owner rule_id rule_name status time urgency user | outputlookup append=true incident_review_lookup

cblumer_splunk · ‎08-29-2019

The HTTP App for Phantom can be used to perform a POST request to the Splunk ES API to change the status of a Notable Event to any custom status you may have defined:

https://my.phantom.us/4.5/docs/app_reference/phantom_http#post-data
https://docs.splunk.com/Documentation/ES/5.3.0/API/NotableEventAPIreference

You will want to use the ID value of the custom status defined in revewstatuses.conf:

"A status ID matching a status in reviewstatuses.conf. Only required if you are changing the status of the event."

kvswathi · ‎08-26-2019

Thank you for the update

sam_splunk · ‎08-26-2019

This is not yet supported but a feature request is in place (at the time of this writing).

custom status update for notable event using phantom playbook

administration

using Phantom

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms