Splunk SOAR (f.k.a. Phantom)

custom status update for notable event using phantom playbook

kvswathi
Path Finder

Hi All,

I have to update the notable event status using phantom. But the status are custom created ones , not the default status available in splunk app for phantom so its is throwing error in playbook "invalid status"

Can any one have a suggestion here to update the custom status.

Labels (2)
Tags (2)
0 Karma
1 Solution

sam_splunk
Splunk Employee
Splunk Employee

This is not yet supported but a feature request is in place (at the time of this writing).

View solution in original post

0 Karma

ansusabu
Communicator

Since the feature is not implemented yet, you can use the below query to update custom status for the notable in Splunk from Phantom.

| makeresults | eval rule_id="<id>", status="<custom status>", comment="<enter comment here>", owner="<owner name>", user="<owner name>" , event_id="<id>", time="<time>" , rule_name="<rule name>", urgency="<urgency>"| table comment event_id owner rule_id rule_name status time urgency user | outputlookup append=true incident_review_lookup

0 Karma

cblumer_splunk
Splunk Employee
Splunk Employee

The HTTP App for Phantom can be used to perform a POST request to the Splunk ES API to change the status of a Notable Event to any custom status you may have defined:

https://my.phantom.us/4.5/docs/app_reference/phantom_http#post-data
https://docs.splunk.com/Documentation/ES/5.3.0/API/NotableEventAPIreference

You will want to use the ID value of the custom status defined in revewstatuses.conf:

"A status ID matching a status in reviewstatuses.conf. Only required if you are changing the status of the event."

0 Karma

kvswathi
Path Finder

Thank you for the update

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

This is not yet supported but a feature request is in place (at the time of this writing).

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...