Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to run a Phantom playbook from a Splunk dashboard

AlexBryant
Path Finder
‎11-16-2020 07:52 AM

I have a Phantom playbook that will take security-related actions on any arbitrary host on my network. These actions might need to be taken at any time of day, on weekends, holidays, etc., so I need to make sure any member of my 24/7 security operations center can run the playbook. I'm looking for a way they can initiate the playbook without explicitly logging into Phantom.

Is there a way that a Splunk dashboard can start a Phantom playbook, after accepting the information required for that playbook (hostname, user ID assigned to that host, etc.)?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

carl72086
Explorer
‎12-26-2020 03:35 AM

Hi Alex,

Yes it is possible as indicated in the above post, you need to use rest calls.

I have done this by creating a python script to(create containers / run playbooks etc...)


Just curious why does it needs to be run this way? I'm just thinking that it might be more of a overhead to manually input details, including identifying which Phantom container where the playbook will run...


Just my 2 cents, If you are 100% sure you want to run playbooks on specific scenarios, you can probably design this playbook to run against a specific label, and design it to automatically get details on a the container (e.g. destinationHostName) and automatically trigger an action against that (e.g. get triage / contain). That way, there's no need for manual intervention...

 

Cheers,

Carl

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎11-17-2020 01:17 AM

@AlexBryant You could use a REST call initiated from a Splunk dashboard to either create a a container with a label that will drive automation, or call a playbook on Phantom against an existing Phantom event. It would likely need the an app for Splunk to perform the REST calls and then an automation account on Phantom to connect and create/run what you need. 

There are probably a few ways to do this but the above is a high-level idea of how it "could" work. 

Hope this helped. 
Docs for REST call requirements: https://docs.splunk.com/Documentation/Phantom/4.9/PlatformAPI/Using 


0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top