Phantom Selected or Check Box Artifact

iamraprap · ‎01-11-2022

I have multiple artifacts and there is a check box beside it. Is there a datapath to access the currently selected artifact? Or perhaps a means to select it and ONLY run playbook or actions on the selected artifacts in the UI?

Can't seem to find a datapath or parameter to playbook that does this. Please help!

phanTom · ‎01-11-2022

The REST call to run a playbook takes an optional argument of "scope" which accepts a list of integers of artifact_ids, this will be how the playbook is called by the platform, invisible to you or I. The list of artifact ids will be passed to the playbook as parameters. No code in the playbook will show you how this works as it's "under the hood".
https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlatformAPI/RESTRunPlaybook

As for accessing the fields, this is where datapaths come in and you need to use them to retrieve the values you want from the fields you want. It's worth using decision to check if the field exists, and a filter to filter just the value you want else you may get invalid results with Nones.

iamraprap · ‎01-11-2022

thanks @phanTom will probably request for a way to have easy means to access that 'scope' and its contents. Like what you said, even if I access artifact:*.id and do the checking, the most important part is the human decision to only run a playbook on selected artifacts (e.g. list of X hosts and do the needful on a subset)

phanTom · ‎01-12-2022

@iamraprap not quite sure what you mean.

The power of SOAR is the automation and an analyst/human should only be brought in if necessary. Playbooks should all be written to check for the data it needs to perform its function and if that means filtering artifacts based on some data before performing an action, that it what Splunk SOAR is made for.

IMO, all analyst actions should be controlled by a playbook for consistency, even for relatively simple click-able tasks in the UI as it gives a lot more control and visibility of the analyst's use of the Platform and makes things a lot more efficient/consistent.

Scope is something that once understood makes a lot of sense, and is configurable on individual blocks in playbooks since 4.10.7.

Happy SOARing!

phanTom · ‎01-11-2022

@iamraprap welcome to the community!

There is no datapath for what you are asking as a playbook is totally unaware of any boxes being ticked on a container. However, depending on how the artifacts are created, you may be able to use a combination of conditions in a decision/filter to only act upon the relevant artifact in a playbook.

As for running from the UI; if you select an artifact and press the >Playbook button, in the bottom-left of the new window you can select "artifact" which will mean the playbook will only run against the selected artifact(s). To run an action against an artifact is different as actions will only run against values, these are contained in the artifacts. If you click a value and see a drop-down appear, this will contain all of the actions available for the type of data SOAR thinks the value is and you can run individual actions manually that way too.

Hope this helped, if so please mark as the solution. Or if you need more info please let me know.

iamraprap · ‎01-11-2022

@phanTom thanks for the reply but the thing i don't understand is how the playbook knows :

"you can select "artifact" which will mean the playbook will only run against the selected artifact(s)"

I don't see an artifact parameter being passed to the actual playbook on_start(). Even if the playbook runs only on that artifact, in playbook context how can we access the fields/data in that referenced artifact?

Phantom Selected or Check Box Artifact

using SOAR ⁄ Phantom

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes