Solved: Re: SOAR: Instance environment variables

goncalocoelho · ‎06-21-2022

Hi All,

is it possible to retrieve the (splunk soar) instance details inside a playbook?

For instance when sending an email, I want to be able to tell if the playbook ran in dev or prod environment.

Is there a list of all the global environment variables?

Thanks in advance

phanTom · ‎06-22-2022

@goncalocoelho the best way, IMO, will be to use REST and hit the `/rest/system_settings` endpoint and get something from the company_info_settings to determine if dev/prod.

E.g. If you set the system/instance name to reflect the environment you could parse that, or just use the fqdn setting to work out where it came from.

This will need to be coded either in a code block or custom function.

View solution in original post

phanTom · ‎06-22-2022

@goncalocoelho the best way, IMO, will be to use REST and hit the `/rest/system_settings` endpoint and get something from the company_info_settings to determine if dev/prod.

E.g. If you set the system/instance name to reflect the environment you could parse that, or just use the fqdn setting to work out where it came from.

This will need to be coded either in a code block or custom function.

goncalocoelho · ‎06-29-2022

Thanks for your reply @phanTom, that seems a very good approach!

I'll try that and share my findings here for everyone

SOAR: Is it possible to retrieve the (splunk soar) instance details inside a playbook?

development

using SOAR ⁄ Phantom

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off