Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

custom status update for notable event using phantom playbook

kvswathi
Path Finder
‎05-31-2019 05:45 AM

Hi All,

I have to update the notable event status using phantom. But the status are custom created ones , not the default status available in splunk app for phantom so its is throwing error in playbook "invalid status"

Can any one have a suggestion here to update the custom status.

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-26-2019 08:57 AM

This is not yet supported but a feature request is in place (at the time of this writing).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ansusabu
Communicator
‎10-31-2019 12:35 AM

Since the feature is not implemented yet, you can use the below query to update custom status for the notable in Splunk from Phantom.

| makeresults | eval rule_id="<id>", status="<custom status>", comment="<enter comment here>", owner="<owner name>", user="<owner name>" , event_id="<id>", time="<time>" , rule_name="<rule name>", urgency="<urgency>"| table comment event_id owner rule_id rule_name status time urgency user | outputlookup append=true incident_review_lookup

0 Karma
Reply
Solved! Jump to solution

cblumer_splunk
Splunk Employee
Splunk Employee
‎08-29-2019 09:34 AM

The HTTP App for Phantom can be used to perform a POST request to the Splunk ES API to change the status of a Notable Event to any custom status you may have defined:

https://my.phantom.us/4.5/docs/app_reference/phantom_http#post-data
https://docs.splunk.com/Documentation/ES/5.3.0/API/NotableEventAPIreference

You will want to use the ID value of the custom status defined in revewstatuses.conf:

"A status ID matching a status in reviewstatuses.conf. Only required if you are changing the status of the event."

0 Karma
Reply
Solved! Jump to solution

kvswathi
Path Finder
‎08-26-2019 10:26 PM

Thank you for the update

0 Karma
Reply
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-26-2019 08:57 AM

This is not yet supported but a feature request is in place (at the time of this writing).

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...