Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk SOAR
- :
- Workbook Source Control
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone managed to set up source control for workbooks?
Pulling the information down via API to upload to gitlab is straightforward. You can run a get request against [base_url]/rest/workbook_template (REST Workbook). The problem is with pushing information. As far as I've been able to find, you can only create new phases or tasks. You're not able to specify via name or ID that you want to update an object. There's also no way I've found to delete a phase or task which would make creating a new one more reasonable.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to get this sorted out. With the way SOAR handles IDs, it's easiest to update workbooks as a whole than trying to focus on specific phases or tasks. To that end, when pulling your workbooks, you'll want to get
- [base_url]/workbook_template?page_size=0
- [base_url]/workbook_phase_template?page_size=0.
Since they're stored separately you'll then want to stich the workbooks and phases together using the phases' template value. This is the same as its parent workbook's ID.
Including some fields in your push can cause SOAR to reject the changes (usually with a 404 error).
- Workbooks (the top level): name, description, is_default, is_note_required, phases.
- Phases (the middle level): name, order, and tasks.
- Tasks (bottom level): name, description, order, owner, role, sla, and suggestions.
Delete
I overcomplicated this for myself. A simple REST delete request to [base_url]/rest/workbook_template/[ID] will delete the workbook.
Create
Post your json with the required fields to [base_url]/rest/workbook_template. It's important to note there is no ID.
Update
Post your full json with the required fields for the workbook you're changing to [base_url]/rest/workbook_template/[ID]. SOAR is intelligent enough to recognize what the changes are and just update those pieces.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to get this sorted out. With the way SOAR handles IDs, it's easiest to update workbooks as a whole than trying to focus on specific phases or tasks. To that end, when pulling your workbooks, you'll want to get
- [base_url]/workbook_template?page_size=0
- [base_url]/workbook_phase_template?page_size=0.
Since they're stored separately you'll then want to stich the workbooks and phases together using the phases' template value. This is the same as its parent workbook's ID.
Including some fields in your push can cause SOAR to reject the changes (usually with a 404 error).
- Workbooks (the top level): name, description, is_default, is_note_required, phases.
- Phases (the middle level): name, order, and tasks.
- Tasks (bottom level): name, description, order, owner, role, sla, and suggestions.
Delete
I overcomplicated this for myself. A simple REST delete request to [base_url]/rest/workbook_template/[ID] will delete the workbook.
Create
Post your json with the required fields to [base_url]/rest/workbook_template. It's important to note there is no ID.
Update
Post your full json with the required fields for the workbook you're changing to [base_url]/rest/workbook_template/[ID]. SOAR is intelligent enough to recognize what the changes are and just update those pieces.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
