Splunk SOAR

Playbook Running Multiple Artifacts Multiple Times

Aaron_H
Engager

I basically have a long playbook consisting of sub-playbooks. I have 5 artifacts in a container I am using, where 4 will be dropped via 4 different decision actions and posted to a Confluent topic. The final artifact will make it through to the end of the playbook and also be posted in a Confluent topic. When I run each artifact individually, they work perfectly. However, when I try to run "all artifacts (5 in the container)" to simulate the artifacts coming in at the same time, they are each posted 5 times in the Confluent topic, totaling 25 instead of just 5. I have two hunches as to where the problem might be; one where the phantom.decision() is evaluating to True, despite only one artifact matching that criterion and just posting all 5 instead of 1 artifact. The other is that there is no "end" after my Post actions, so each artifact is being posted to Confluent, but then also continuing to the next Playbook against my intentions. I have no idea what is causing this and haven't found much in terms of documentation for my issue. I just find it annoying that they will work perfectly fine individually but the opposite when called together. This might be how it is designed to be, or probably that I'm doing something simply incorrectly, but any help regarding this would be greatly appreciated!

Labels (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

Hey @Aaron_H when you say "Dropped by a decision" I think you are needing to use decisions and filters as decisions pass ALL the data through based on a True Evaluation, whereas filters will only send the data value(s) that passes the condition. You then use the "filtered_data...." datapath to only grab/use the value passed out of the filter. 

Always use a decision 1st as they offer the ELSE clause so you can at least handle any non-match (add comment/send email/etc).  If no conditions are matched in a filter then the playbook just stops and there is no way to catch this. 

 

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

Hey @Aaron_H when you say "Dropped by a decision" I think you are needing to use decisions and filters as decisions pass ALL the data through based on a True Evaluation, whereas filters will only send the data value(s) that passes the condition. You then use the "filtered_data...." datapath to only grab/use the value passed out of the filter. 

Always use a decision 1st as they offer the ELSE clause so you can at least handle any non-match (add comment/send email/etc).  If no conditions are matched in a filter then the playbook just stops and there is no way to catch this. 

 

0 Karma

Aaron_H
Engager

Thank you so much for your fast reply!

Unfortunately, adding a filter after my decision block did not fix my problem. In the debugger, it shows the filter as working after my decision, but still all 5 artifacts make it through to my Post block.

I'm very new to SOAR/phantom so I apologize for my ignorance; I had edited some artifact's CEF so that they have unique values that I then put into the decision/filter so that they will specifically be pulled as intended. It still shows that even after the filter working, all 5 are being posted to my Confluent stream. When you're pulling multiple artifacts from a container, are they "tied" together as in they will be moved together through a playbook as long as at least one of them proves true for a decision or filter? Because that's what is appearing to happen. 

Thank you again for your assistance in this matter!

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...