Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Run Playbook On Demand?

cmg
Explorer
‎01-11-2024 03:33 PM

Is it possible to run a playbook on demand, meaning a manual trigger by an analyst such as clicking a playbook during a workbook step? I have a use case where I want to run a playbook, but only from user initiation.

I could implement some logic for user interaction at the container, but I'd prefer not to have something waiting for input until a user can get to it.

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎01-15-2024 01:10 AM

@cmg 

No what you do is you have a decision at the beginning of the automation that checks for a container tag, if present don't continue as it would show that the container has been processed already by that playbook. If not present then continue and the next action should be to add the tag you are looking for to the processed container. 

This means that a container would only have the playbook 'fully' run once on each container. It may still run many times but will halt at the 1st decision. Then if you do ever need to re-run the playbook you just remove the tag.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

cmg
Explorer
‎01-23-2024 08:17 AM

Thanks @phanTom.

If anyone else comes across this in a search, I created a decision block which checks for container tags:

If "tag1": go to the End block
If "tag2": Continue to the next block

Next block applies the tag "tag1" to the container.

Final block removes the tag "tag2" from the container.

This design, for better or worse, allows me to run a playbook "on demand" via a Workbook or manual action on the case management side, while keeping automatic capabilities (apply label "tag2" to the container and run) if I decide to use it as say, a child playbook.

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎01-12-2024 12:54 AM

@cmg as @inventsekar has confirmed, this is possible. 

When you build Workbooks/Response Templates in SOAR/Mission Control you are able to assign actions or playbooks for users to run as part of that task. 

I would recommend also updating the task during the playbook run to assign to the playbook runner and change the status automatically too. 

In most of my customers even if there is a status/label change on the container we control it via playbook to control and track the lifecycle of Security Events.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎01-11-2024 03:59 PM

Hi @cmg 

As i remember and as Doc confirms, Phantom / Splunk SOAR provides running the playbook on both situations(manual and automatic). 

https://docs.splunk.com/Documentation/SOAR/current/Playbook/Overview

After you create and save a playbook in Splunk SOAR (Cloud), you can run playbooks when performing these tasks in Splunk SOAR (Cloud):

  • Triaging or investigating cases as an analyst
  • Creating or adding a case to Investigation
  • Configuring playbooks to run automatically directly from the playbook editor

 

PS - if this/any reply helped you, please upvote. if this/any reply resolves your query, then pls accept it as solution, so your question will move from unanswered to answered. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Tags (1)
0 Karma
Reply
Solved! Jump to solution

cmg
Explorer
‎01-12-2024 04:53 PM

@inventsekar @phanTom 

Thank you.

So the remaining disconnect to me is when creating an [automation] playbook you appear to need to assign it a label to run against. In this instance, could I apply something like "on-demand" as the label (or tag?) to prevent it from being run automatically?

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎01-15-2024 01:10 AM

@cmg 

No what you do is you have a decision at the beginning of the automation that checks for a container tag, if present don't continue as it would show that the container has been processed already by that playbook. If not present then continue and the next action should be to add the tag you are looking for to the processed container. 

This means that a container would only have the playbook 'fully' run once on each container. It may still run many times but will halt at the 1st decision. Then if you do ever need to re-run the playbook you just remove the tag.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top