Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Phantom Error Reporting- How to monitor the execution of a Phantom Playbook

ss008i
Engager
‎06-22-2022 08:29 AM

Hello,

I am trying to find a native solution in order to monitor the execution of a Phantom Playbook. In case one of the actions fail, or a specific message/data is returned by a custom function, does anyone a possibility to make a general/native configuration, so that an admin will receive an instant email message with the error/playbook that ran/ etc?

I am aware of the api 'error' and 'discontinue' methods, but it will mean to add this kind of checks at each step of the playbook ...

Greatly appreciate your ideas!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎06-22-2022 08:37 AM

@ss008i 

If you need instant then you will need to bake it into the playbook logic by checking the "status" output in a decision block after the action/function (you need to configure status output in function), and then "do something" if it fails. Worth doing for most actions anyway as best practise although I appreciate it may be time consuming, it's worth it in the long run. 

Another option is to have a playbook scheduled to run every x mins that uses REST to search for all action failures and then provide a report. 

action_run with filtering (/rest/action_run?_filter_status="failed") could be used for actions. Also consider a time and page limit on the rest call so you don't dedup. Options for filtering are here: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTQueryData 


action run REST docs: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTRunAction 

Custom functions are a bit harder as they don't report a status per playbook run so really you would need to handle the status output in a playbook for them, or turn them into app actions so the status output can be used. 

If this helped, please feel free to add karma and/or mark as a solution. 

Happy SOARing!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎06-22-2022 08:37 AM

@ss008i 

If you need instant then you will need to bake it into the playbook logic by checking the "status" output in a decision block after the action/function (you need to configure status output in function), and then "do something" if it fails. Worth doing for most actions anyway as best practise although I appreciate it may be time consuming, it's worth it in the long run. 

Another option is to have a playbook scheduled to run every x mins that uses REST to search for all action failures and then provide a report. 

action_run with filtering (/rest/action_run?_filter_status="failed") could be used for actions. Also consider a time and page limit on the rest call so you don't dedup. Options for filtering are here: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTQueryData 


action run REST docs: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTRunAction 

Custom functions are a bit harder as they don't report a status per playbook run so really you would need to handle the status output in a playbook for them, or turn them into app actions so the status output can be used. 

If this helped, please feel free to add karma and/or mark as a solution. 

Happy SOARing!

0 Karma
Reply
Solved! Jump to solution

ss008i
Engager
‎06-29-2022 01:31 AM

Thank you @phanTom - looks pretty much in line with what I expected - I will go with a hybrid version and use both sides of the solutions you mentioned. Regards

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...