Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to run a Phantom playbook from a Splunk dashboard

AlexBryant
Path Finder
‎11-16-2020 07:52 AM

I have a Phantom playbook that will take security-related actions on any arbitrary host on my network. These actions might need to be taken at any time of day, on weekends, holidays, etc., so I need to make sure any member of my 24/7 security operations center can run the playbook. I'm looking for a way they can initiate the playbook without explicitly logging into Phantom.

Is there a way that a Splunk dashboard can start a Phantom playbook, after accepting the information required for that playbook (hostname, user ID assigned to that host, etc.)?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

carl72086
Explorer
‎12-26-2020 03:35 AM

Hi Alex,

Yes it is possible as indicated in the above post, you need to use rest calls.

I have done this by creating a python script to(create containers / run playbooks etc...)


Just curious why does it needs to be run this way? I'm just thinking that it might be more of a overhead to manually input details, including identifying which Phantom container where the playbook will run...


Just my 2 cents, If you are 100% sure you want to run playbooks on specific scenarios, you can probably design this playbook to run against a specific label, and design it to automatically get details on a the container (e.g. destinationHostName) and automatically trigger an action against that (e.g. get triage / contain). That way, there's no need for manual intervention...

 

Cheers,

Carl

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎11-17-2020 01:17 AM

@AlexBryant You could use a REST call initiated from a Splunk dashboard to either create a a container with a label that will drive automation, or call a playbook on Phantom against an existing Phantom event. It would likely need the an app for Splunk to perform the REST calls and then an automation account on Phantom to connect and create/run what you need. 

There are probably a few ways to do this but the above is a high-level idea of how it "could" work. 

Hope this helped. 
Docs for REST call requirements: https://docs.splunk.com/Documentation/Phantom/4.9/PlatformAPI/Using 


0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...