Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to run a playbook triggered by a Windows service information stopping?

barisaydogmusog
Loves-to-Learn
‎10-05-2020 11:52 AM

Hi,

Here is my scenario:

There are many Windows servers where the Windows service information is flowing to my Splunk enterprise. There is also a Phantom instance available.

I would like to run a playbook on phantom once a given service’s status is “stopped”.

Would you please share me if there a documentation or sample playbook to achieve it.

Regards

 

Labels (3)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎10-07-2020 01:33 AM

@barisaydogmusog there is a WINRM app that would allow you to either run a command/script on the endpoint side. (https://my.phantom.us/4.9/docs/app_reference/phantom_winrm)

1. You will need the Splunk alert to check for failed/stopped services and send an alert through to Phantom with the service name/other information to help the script/command, such as the hostname etc. 
2. Build a playbook against the label that these events come in as that will use the information in the event to build the command or provide necessary arguments to the script and run the action(s). 

I have not used the above app myself but looking through the docs, it looks like it will provide the capability you require. 
Also take a look through the community playbooks and see if there is any examples that are similar to your use case.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...