Splunk SOAR

Customizable Sound of Phantom

johnteo
Explorer

Hi guys, is there a way to trigger a customizable sound as part of the Phantom Playbook whenever it runs automatically?

Labels (2)
Tags (1)
0 Karma
1 Solution

phantom_mhike
SplunkTrust
SplunkTrust

I assume you are asking to have the web UI play a customized sound when a particular playbook runs. The rest of this response is based on that premise.

You can't have the web interface play a custom sound when a playbook executes because the web interface has no awareness of playbooks that are running. There is no reason for it to be aware since it is not responsible for the execution. It only shows you the details that you need to see as context for the view you have open. The only significant callback that the web interface provides out of context is the alerts for prompts and actions since those are directed at individual users and roles.

To accomplish more or less the same goal, you could potentially add a slack notification at the end of your playbook. If you give that slack bot a unique notification sound in your workspace, you will have a customized tone for every time that notification comes in.

I'm not sure what the end goal here is. If you are trying to notify a user that there is a new container for them to look at, then owner assignment will accomplish the same thing with the web interface alerts. If you are trying to alert the masses to an escalated situation, I recommend a more robust response than generating a sound. If it is just for general awareness that the playbook ran successfully, then I generally recommend building monitoring around playbook failures instead. As usage of phantom grows, playbook successes become a constant norm, but errors and failures require attention.

View solution in original post

phantom_mhike
SplunkTrust
SplunkTrust

I assume you are asking to have the web UI play a customized sound when a particular playbook runs. The rest of this response is based on that premise.

You can't have the web interface play a custom sound when a playbook executes because the web interface has no awareness of playbooks that are running. There is no reason for it to be aware since it is not responsible for the execution. It only shows you the details that you need to see as context for the view you have open. The only significant callback that the web interface provides out of context is the alerts for prompts and actions since those are directed at individual users and roles.

To accomplish more or less the same goal, you could potentially add a slack notification at the end of your playbook. If you give that slack bot a unique notification sound in your workspace, you will have a customized tone for every time that notification comes in.

I'm not sure what the end goal here is. If you are trying to notify a user that there is a new container for them to look at, then owner assignment will accomplish the same thing with the web interface alerts. If you are trying to alert the masses to an escalated situation, I recommend a more robust response than generating a sound. If it is just for general awareness that the playbook ran successfully, then I generally recommend building monitoring around playbook failures instead. As usage of phantom grows, playbook successes become a constant norm, but errors and failures require attention.

Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...