Splunk SOAR

Run Playbook On Demand?

cmg
Explorer

Is it possible to run a playbook on demand, meaning a manual trigger by an analyst such as clicking a playbook during a workbook step? I have a use case where I want to run a playbook, but only from user initiation.

I could implement some logic for user interaction at the container, but I'd prefer not to have something waiting for input until a user can get to it.

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@cmg 

No what you do is you have a decision at the beginning of the automation that checks for a container tag, if present don't continue as it would show that the container has been processed already by that playbook. If not present then continue and the next action should be to add the tag you are looking for to the processed container. 

This means that a container would only have the playbook 'fully' run once on each container. It may still run many times but will halt at the 1st decision. Then if you do ever need to re-run the playbook you just remove the tag.

View solution in original post

0 Karma

cmg
Explorer

Thanks @phanTom.

If anyone else comes across this in a search, I created a decision block which checks for container tags:

If "tag1": go to the End block
If "tag2": Continue to the next block

Next block applies the tag "tag1" to the container.

Final block removes the tag "tag2" from the container.

This design, for better or worse, allows me to run a playbook "on demand" via a Workbook or manual action on the case management side, while keeping automatic capabilities (apply label "tag2" to the container and run) if I decide to use it as say, a child playbook.

phanTom
SplunkTrust
SplunkTrust

@cmg as @inventsekar has confirmed, this is possible. 

When you build Workbooks/Response Templates in SOAR/Mission Control you are able to assign actions or playbooks for users to run as part of that task. 

I would recommend also updating the task during the playbook run to assign to the playbook runner and change the status automatically too. 

In most of my customers even if there is a status/label change on the container we control it via playbook to control and track the lifecycle of Security Events.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @cmg 

As i remember and as Doc confirms, Phantom / Splunk SOAR provides running the playbook on both situations(manual and automatic). 

https://docs.splunk.com/Documentation/SOAR/current/Playbook/Overview

After you create and save a playbook in Splunk SOAR (Cloud), you can run playbooks when performing these tasks in Splunk SOAR (Cloud):

  • Triaging or investigating cases as an analyst
  • Creating or adding a case to Investigation
  • Configuring playbooks to run automatically directly from the playbook editor

 

PS - if this/any reply helped you, please upvote. if this/any reply resolves your query, then pls accept it as solution, so your question will move from unanswered to answered. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Tags (1)
0 Karma

cmg
Explorer

@inventsekar @phanTom 

Thank you.

So the remaining disconnect to me is when creating an [automation] playbook you appear to need to assign it a label to run against. In this instance, could I apply something like "on-demand" as the label (or tag?) to prevent it from being run automatically?

0 Karma

phanTom
SplunkTrust
SplunkTrust

@cmg 

No what you do is you have a decision at the beginning of the automation that checks for a container tag, if present don't continue as it would show that the container has been processed already by that playbook. If not present then continue and the next action should be to add the tag you are looking for to the processed container. 

This means that a container would only have the playbook 'fully' run once on each container. It may still run many times but will halt at the 1st decision. Then if you do ever need to re-run the playbook you just remove the tag.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...