- Find Answers
- :
- Premium Solutions
- :
- Splunk SOAR
- :
- How to pass data from one playbook to its subplayb...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can we pass data from one playbook to its sub playbook?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two good methods for passing data between playbooks in Phantom, and many other ways to use external databases /services/or APIs to pass data between playbooks and containers. These are the built-in methods:
Phantom App - 'Add Artifact' action
https://my.phantom.us/4.5/docs/app_reference/phantom_phantom#add-artifact
https://my.phantom.us/4.5/docs/automation/api_container#add_artifact
This method can be used to store (JSON formatted) data within a newly created Artifact either in the Container the playbook is being executed on at the time, or any Container across the local system as long as the ID is known. You can also create a new Container on any other connected Phantom instance as well, as long as the required App Asset is created and configured with the connection details on the local instance. Best used for data that should be stored long-term.
phantom.save_object()
https://my.phantom.us/4.5/docs/automation/api_data_management#save_object
"This API allows you to save data by key and/or container_id and/or playbook name, to be retrieved when executing playbooks on containers. Users can save a key and value pair along with the context of container id and/or playbook name."
Best used for data which can be deleted when the given container is closed using the 'clear_object' field:
"[optional] Defaults to False. If set True, the data will be deleted when the container is closed. The clear_object can be used to delete the data. If set True, container_id must be provided."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Other available methods:
phantom.get_action_results()
https://my.phantom.us/4.5/docs/automation/api_data_access#get_action_resultsphantom.add_note() & phantom.get_notes()
https://my.phantom.us/4.5/docs/automation/api_container#add_note
https://my.phantom.us/4.5/docs/automation/api_container#get_notesHTTP App for Phantom - 'get data' action - '/rest/action_run' endpoint
https://my.phantom.us/4.5/docs/app_reference/phantom_http#get-data
https://my.phantom.us/4.5/docs/rest/query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what do you mean playbook and subplaybook? is this regarding ansible?
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Phantom playbooks. It is recommended to use a Module Design (Parent & Children) when creating SOAR use cases with Phantom.
https://my.phantom.us/4.5/docs/vpe/editor#playbook
https://my.phantom.us/4.5/docs/automation/api_playbook#playbook
My answer will be posted here shortly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry. its was not tagged as phantom xP
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two good methods for passing data between playbooks in Phantom, and many other ways to use external databases /services/or APIs to pass data between playbooks and containers. These are the built-in methods:
Phantom App - 'Add Artifact' action
https://my.phantom.us/4.5/docs/app_reference/phantom_phantom#add-artifact
https://my.phantom.us/4.5/docs/automation/api_container#add_artifact
This method can be used to store (JSON formatted) data within a newly created Artifact either in the Container the playbook is being executed on at the time, or any Container across the local system as long as the ID is known. You can also create a new Container on any other connected Phantom instance as well, as long as the required App Asset is created and configured with the connection details on the local instance. Best used for data that should be stored long-term.
phantom.save_object()
https://my.phantom.us/4.5/docs/automation/api_data_management#save_object
"This API allows you to save data by key and/or container_id and/or playbook name, to be retrieved when executing playbooks on containers. Users can save a key and value pair along with the context of container id and/or playbook name."
Best used for data which can be deleted when the given container is closed using the 'clear_object' field:
"[optional] Defaults to False. If set True, the data will be deleted when the container is closed. The clear_object can be used to delete the data. If set True, container_id must be provided."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I have implemented the artifact creation way of sharing data with multiple playbooks on the same container. It works perfect when run in debug mode both with scope new and all. But when the playbook is made active, the actions on the playbook can't read those artifacts as the default scope when a playbook is set to active is 'new'. Please help how can we set the scope global for entire playbook when in active mode.
BR,
Ankit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ankitsync the only way to change the scope of a playbook is to run it using REST as you can set the scope in the call:
https://docs.splunk.com/Documentation/Phantom/4.9/PlatformAPI/RESTPlaybook
There is also the option of setting the scope of the point of collection (collect2, etc) in the other playbook by adding scope='all' to the relevant call. Check the docs for which ones have the capability. A few are collect2, format, condition, decision, and many more.
https://docs.splunk.com/Documentation/Phantom/4.9/PlaybookAPI/DataAccessAPI#collect2
NOTE: By changing the scope setting in a default API call it will change the block to a 'custom' block, so be aware of that when/if using this method.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi , Thanks for sharing I did research about both these methods. While the custom a parameter addition to blocks is something i have kept in mind as a last resort. Is there a way to make that rest call from another playbook ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ankitsync you can either:
1. Use the phantom APIs phantom.build_phantom_rest_url() & phantom.requests() to run RESTS calls in Phantom playbooks. You can use in either of the custom function types.
https://docs.splunk.com/Documentation/Phantom/4.10/PlaybookAPI/SessionAPI
2. You can use the HTTP app in playbooks to speak with Phantom REST. This is sometimes better as there is no custom code required but can require a few format blocks to make the url & any payload for POST actions and needs an asset configured for the App.
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
