Splunk SOAR

Is it possible to add a task in phase of a workbook in a particular container via api?

ansir
Explorer

Hi,

is it possible to add a task in a phase of a workbook in a particular container via an api call?

thanks for the help.

 

Labels (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

That should work.

Here is a screenshot of the code I use in a CF:

phanTom_0-1669038902401.png



phanTom_1-1669038914142.png

 

The only difference I can see is that I specify int() for the phase_id value.

-- If this solves your issue please mark as a solution. Happy SOARing! --

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@ansir you can use the phantom.add_task() API: 
 https://docs.splunk.com/Documentation/SOARonprem/5.4.0/PlaybookAPI/ContainerAPI#add_task 

However, this doesn't provide many options so I like to use REST:
https://docs.splunk.com/Documentation/SOARonprem/5.4.0/PlatformAPI/RESTWorkbook#.2Frest.2Fworkbook_t... 

 

-- If this solved your issue please mark as a solution! Happy SOARing! --

0 Karma

ansir
Explorer

Hi thanks for your quick repose. 

can you give an example of a post request to add task to existing phase within a particular container?

regards, 

 

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@ansir did you check the docs links? The example is in there:

{
	"name": "My Task",
	"order": 1,
	"owner": 2,
	"phase_id": 20,
	"description": "Investigate the event",
	"playbooks": [{
			"scm": "local",
			"playbook": "investigate"
		},
		{
			"scm": "community",
			"playbook": "04_07_2017 - PhishMe"
		}
	],
	"actions": ["geolocate ip", "block_ip"]
}'
0 Karma

ansir
Explorer

hi,

i have used the get_phase api to get the id of a phase of a particular container.

id = phantom.get_phase(container=id_value, trace=False)

which returned id 94734,

then i did the following post request: 

`

{"name": "new task",
"order": 2,
"phase_id": 94734,
"description": "test description",
"playbooks": [{}],
"actions": []}

`

 to the  "workbook_task_template endpoint"  to add a task to phase_id 94734.

I'm getting the following failed response

: {\"failed\": true, \"message\": \"Invalid value \\\"94734\\\" for parameter \\\"phase_id\\\"\"}"}]

not sure why this is the case since the phase id currently exist.

0 Karma

phanTom
SplunkTrust
SplunkTrust

That should work.

Here is a screenshot of the code I use in a CF:

phanTom_0-1669038902401.png



phanTom_1-1669038914142.png

 

The only difference I can see is that I specify int() for the phase_id value.

-- If this solves your issue please mark as a solution. Happy SOARing! --

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...