Splunk Tech Talks
Deep-dives for technical practitioners.

Understanding Phantom’s Join Logic

melissap
Splunk Employee
Splunk Employee

View our Tech Talk: Security Edition, Understanding Phantom’s Join Logic. 

 

Playbooks allow analysts to automate everyday security tasks and save time. Oftentimes, these playbooks are simple: run a query or complete a single action. However, playbooks can also be very complex. As that complexity grows, there’s a need for more advanced features of playbook design to be considered to ensure they run effectively.

 

One of the ways to do this is to take a look at how parallel action blocks are set to re-join each other to continue processing. Have your complex playbooks ever stopped running unexpectedly after parallel single actions? That’s probably because of your ‘join’ settings. This talk will explain how Phantom’s 'join' logic works, and tips for writing effective and error-free playbooks.

Tune in to learn:

  • What may cause a playbook to stop running unexpectedly and how to fix it
  • How to use the join logic effectively 
  • How to properly use Phantom join logic in a live demo
Tags (2)
melissap
Splunk Employee
Splunk Employee

Here are a few questions from the live Q&A.

Q: How about some threshold like it requires 70% of the joins to complete?
A: In a case like that, you can adjust the join logic section of code to meet your requirements.

 

Q: From join, nothing will be required, but it will need custom python to check the output of the branches and count them up?
A: That's right - once you write your own join logic, you'd leave the UI as 'nothing required' and then define the code to do what you need -- it just wouldn't be reflected in the 'join settings' in the UI
Individual
 
melissap
Splunk Employee
Splunk Employee

Here are additional follow up materials.

Join Setting Documentation

Phantom Community Edition

Community tag of Join Logic

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...