Solved: SOAR: Is it possible to retrieve the (splunk soar)...

goncalocoelho · ‎06-21-2022

Hi All,

is it possible to retrieve the (splunk soar) instance details inside a playbook?

For instance when sending an email, I want to be able to tell if the playbook ran in dev or prod environment.

Is there a list of all the global environment variables?

Thanks in advance

phanTom · ‎06-22-2022

@goncalocoelho the best way, IMO, will be to use REST and hit the `/rest/system_settings` endpoint and get something from the company_info_settings to determine if dev/prod.

E.g. If you set the system/instance name to reflect the environment you could parse that, or just use the fqdn setting to work out where it came from.

This will need to be coded either in a code block or custom function.

View solution in original post

phanTom · ‎06-22-2022

@goncalocoelho the best way, IMO, will be to use REST and hit the `/rest/system_settings` endpoint and get something from the company_info_settings to determine if dev/prod.

E.g. If you set the system/instance name to reflect the environment you could parse that, or just use the fqdn setting to work out where it came from.

This will need to be coded either in a code block or custom function.

goncalocoelho · ‎06-29-2022

Thanks for your reply @phanTom, that seems a very good approach!

I'll try that and share my findings here for everyone

SOAR: Is it possible to retrieve the (splunk soar) instance details inside a playbook?

development

using SOAR ⁄ Phantom

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...