Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to add a task in phase of a workbook in a particular container via api?

ansir
Explorer
‎11-16-2022 08:10 AM

Hi,

is it possible to add a task in a phase of a workbook in a particular container via an api call?

thanks for the help.

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎11-21-2022 05:55 AM

That should work.

Here is a screenshot of the code I use in a CF:

phanTom_0-1669038902401.png



phanTom_1-1669038914142.png

 

The only difference I can see is that I specify int() for the phase_id value.

-- If this solves your issue please mark as a solution. Happy SOARing! --

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎11-16-2022 08:14 AM

@ansir you can use the phantom.add_task() API: 
 https://docs.splunk.com/Documentation/SOARonprem/5.4.0/PlaybookAPI/ContainerAPI#add_task 

However, this doesn't provide many options so I like to use REST:
https://docs.splunk.com/Documentation/SOARonprem/5.4.0/PlatformAPI/RESTWorkbook#.2Frest.2Fworkbook_t... 

 

-- If this solved your issue please mark as a solution! Happy SOARing! --

0 Karma
Reply
Solved! Jump to solution

ansir
Explorer
‎11-18-2022 08:30 AM

Hi thanks for your quick repose. 

can you give an example of a post request to add task to existing phase within a particular container?

regards, 

 

 

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎11-18-2022 09:02 AM

@ansir did you check the docs links? The example is in there:

{
	"name": "My Task",
	"order": 1,
	"owner": 2,
	"phase_id": 20,
	"description": "Investigate the event",
	"playbooks": [{
			"scm": "local",
			"playbook": "investigate"
		},
		{
			"scm": "community",
			"playbook": "04_07_2017 - PhishMe"
		}
	],
	"actions": ["geolocate ip", "block_ip"]
}'
0 Karma
Reply
Solved! Jump to solution

ansir
Explorer
‎11-21-2022 02:40 AM

hi,

i have used the get_phase api to get the id of a phase of a particular container.

id = phantom.get_phase(container=id_value, trace=False)

which returned id 94734,

then i did the following post request: 

`

{"name": "new task",
"order": 2,
"phase_id": 94734,
"description": "test description",
"playbooks": [{}],
"actions": []}

`

 to the  "workbook_task_template endpoint"  to add a task to phase_id 94734.

I'm getting the following failed response

: {\"failed\": true, \"message\": \"Invalid value \\\"94734\\\" for parameter \\\"phase_id\\\"\"}"}]

not sure why this is the case since the phase id currently exist.

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎11-21-2022 05:55 AM

That should work.

Here is a screenshot of the code I use in a CF:

phanTom_0-1669038902401.png



phanTom_1-1669038914142.png

 

The only difference I can see is that I specify int() for the phase_id value.

-- If this solves your issue please mark as a solution. Happy SOARing! --

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...