Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

custom status update for notable event using phantom playbook

kvswathi
Path Finder
‎05-31-2019 05:45 AM

Hi All,

I have to update the notable event status using phantom. But the status are custom created ones , not the default status available in splunk app for phantom so its is throwing error in playbook "invalid status"

Can any one have a suggestion here to update the custom status.

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-26-2019 08:57 AM

This is not yet supported but a feature request is in place (at the time of this writing).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ansusabu
Communicator
‎10-31-2019 12:35 AM

Since the feature is not implemented yet, you can use the below query to update custom status for the notable in Splunk from Phantom.

| makeresults | eval rule_id="<id>", status="<custom status>", comment="<enter comment here>", owner="<owner name>", user="<owner name>" , event_id="<id>", time="<time>" , rule_name="<rule name>", urgency="<urgency>"| table comment event_id owner rule_id rule_name status time urgency user | outputlookup append=true incident_review_lookup

0 Karma
Reply
Solved! Jump to solution

cblumer_splunk
Splunk Employee
Splunk Employee
‎08-29-2019 09:34 AM

The HTTP App for Phantom can be used to perform a POST request to the Splunk ES API to change the status of a Notable Event to any custom status you may have defined:

https://my.phantom.us/4.5/docs/app_reference/phantom_http#post-data
https://docs.splunk.com/Documentation/ES/5.3.0/API/NotableEventAPIreference

You will want to use the ID value of the custom status defined in revewstatuses.conf:

"A status ID matching a status in reviewstatuses.conf. Only required if you are changing the status of the event."

0 Karma
Reply
Solved! Jump to solution

kvswathi
Path Finder
‎08-26-2019 10:26 PM

Thank you for the update

0 Karma
Reply
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-26-2019 08:57 AM

This is not yet supported but a feature request is in place (at the time of this writing).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...