Splunk SOAR

Is there a way to try 'except' functionality with playbook?

nongingerale
Explorer

Fairly new to writing playbooks within Phantom and so far havent found documentation for this yet:
I'm trying to create an email notification (or something along those lines) whenever a playbook fails to complete for whatever reason (main fail case is if a splunk search fails/job dies). Basically almost like a try/except block but in Phantom. Has anyone found a way to incorporate this in phantom?

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@nongingerale this is something you need to build into your playbook(s). 

All actions have a 'status' output which can be used in a decision block which then checks for the success/failed output and if not success then route down a path to a 'send_email' action or input playbook. I would recommend input playbook so you can re-use for all failures in your automation. 

For checking playbook failures, rather than action failures, you would probably need to use REST to check `/rest/playbook_run` for any that have a status of failed on a schedule (use timer app) and then sends an email if more than 1 failure found. 

Hope this helps!

Happy SOARing!

View solution in original post

CS_
Path Finder

Yep - just like @phanTom  says - you can check the "status" output for an app action. I would do something like this:

CS__0-1674700162022.png

The decision checks the status of the Splunk "Run Query" app action, if successful; end, Else; send an email.

You can do stiff with "try/except" in regular codeblocks but to be honest they become  a pain to manage in larger playbooks.  I know when i started with playbooks, i had to try and unlearn how I'd do it in python, and think about it in terms of SOAR's playbook capabilities, but I am better off for it 😄

 

nongingerale
Explorer

that makes sense, thanks for the help!

0 Karma

phanTom
SplunkTrust
SplunkTrust

@nongingerale this is something you need to build into your playbook(s). 

All actions have a 'status' output which can be used in a decision block which then checks for the success/failed output and if not success then route down a path to a 'send_email' action or input playbook. I would recommend input playbook so you can re-use for all failures in your automation. 

For checking playbook failures, rather than action failures, you would probably need to use REST to check `/rest/playbook_run` for any that have a status of failed on a schedule (use timer app) and then sends an email if more than 1 failure found. 

Hope this helps!

Happy SOARing!

nongingerale
Explorer

thanks! appreciate the help

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...