Splunk SOAR

Callback actions on container's status change

drew19
Path Finder

Hi,

I would like to know if there is the possibility to automatically trigger a playbook when there is a change in the status of a container (e.g. when it becomes "Closed")?

Thank you in advance!

Labels (1)
0 Karma

phanTom
SplunkTrust
SplunkTrust

@drew19 unfortunately not out of the box. However it could be done, but there would be "some" lag.

Just some ways I can think of:
* Externalise the Splunk data and use SPL to look for a change in container status and send a container to phantom with relevant data to then drive the automation against the original container. 

* Persist a list of containers and have a timer app create a container on a schedule to check the list and if any entry changes from x to 'closed' take action and delete the entry from the list. 


Hope this helps give you some ideas/possibilities?

0 Karma

drew19
Path Finder

Hi Tom,

thank you for your answers.

These are the same ideas come into my mind, but they cannot help.

We don't like to create further containers just to close other ones, also considering the fact that we are dealing with tons of containers (we do not want "2xTonsOfContainers").

The same applies for externalization and, moreover, we have a very big external Splunk infrastructure... so to externalize is not trivial.

Probably this is a product limitation 😞

0 Karma

phanTom
SplunkTrust
SplunkTrust

@drew19 
"We don't like to create further containers just to close other ones, also considering the fact that we are dealing with tons of containers (we do not want "2xTonsOfContainers")."
- The 2xTon stuff could be tackled by sending a list of containers through so only 1 container per xTon of containers. This would rely on your schedule, or in the playbook 'only do stuff if x number of results found, otherwise wait for the next scheduled run'.  
- Your example was more 'once closed <do stuff>' but again if you take the list of containers to act upon approach and ensure the new container is closed once it's finished I really don't see the issue when it's going to provide consistent automation activities you are currently doing manually. 
- Getting the data into Splunk is simple:
1. Install the Phantom Remote Search App on IDX & SH layer
2. Create HEC Token on HEC reciever (if you don't have one already a HFW will usually do)
3. Put some configuration options into the External Splunk view on Phantom
4. Watch all the lovely data be ingested 
4.1 This is a highly recommended capability as the Phantom data is very rich and usable in SPL for either monitoring automation and/or reporting on Phantom utilisation. 


You are correct that it's a product limitation, for now ;), but as they are leaning heavily on the Case Management aspects I would expect to see new ways of triggering automation coming in future iterations *wink *wink (forward looking statements apply).

0 Karma

drew19
Path Finder

@phanTom 

what we have to do is simple: when a container is closed we have to trigger an action ("update email") through the Exchange (on-premise) App.

This is not a major feature of our use-case but it would be a "icing on the cake" because it would let us to understand something about an email without logging into Phantom.

Given this, we would like a simple (to develop, test, integrate, test again) solution for such a minor feature.

 

However, just to evaluate it further, do you know where can I find APIs in order to query for the "status of a set of containers under a certain label"?

Thank you.

0 Karma

phanTom
SplunkTrust
SplunkTrust

@drew19 
When you send an email automatically you could update a custom list with the container_id & the mail_id and any other useful information for the update action(s). Then on a schedule check the status of each container_id, if closed use to the mail_id to run the update_email action then delete the entry from the list upon success.
This would take a relatively small time to setup and test. 

 

For your other question you need to use REST and hit the 'container' endpoint with some filtering. 
<your_phantom_url>/rest/container?_filter_label='"<your_label>"'&page_size=0&sort=id&order=desc 

If using the phantom.requests() API you need to set it up like this:

 

 

 

url = phantom.build_phantom_rest_url('container')
params = [('_filter_label', '"<label>"'), ('page_size', 0), ('sort', 'id'), ('order', 'desc')]
r = phantom.requests.get(url, params=params, verify=False)
response = r.json()

 

 

 

verify=False is only if you don't have valid certs on Phantom. 

Docs links:
Filtering REST: https://docs.splunk.com/Documentation/Phantom/4.10.3/PlatformAPI/RESTQueryData 
Sessions API: https://docs.splunk.com/Documentation/Phantom/4.10.3/PlaybookAPI/SessionAPI 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...