Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Phantom Error Reporting- How to monitor the execution of a Phantom Playbook

ss008i
Engager
‎06-22-2022 08:29 AM

Hello,

I am trying to find a native solution in order to monitor the execution of a Phantom Playbook. In case one of the actions fail, or a specific message/data is returned by a custom function, does anyone a possibility to make a general/native configuration, so that an admin will receive an instant email message with the error/playbook that ran/ etc?

I am aware of the api 'error' and 'discontinue' methods, but it will mean to add this kind of checks at each step of the playbook ...

Greatly appreciate your ideas!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎06-22-2022 08:37 AM

@ss008i 

If you need instant then you will need to bake it into the playbook logic by checking the "status" output in a decision block after the action/function (you need to configure status output in function), and then "do something" if it fails. Worth doing for most actions anyway as best practise although I appreciate it may be time consuming, it's worth it in the long run. 

Another option is to have a playbook scheduled to run every x mins that uses REST to search for all action failures and then provide a report. 

action_run with filtering (/rest/action_run?_filter_status="failed") could be used for actions. Also consider a time and page limit on the rest call so you don't dedup. Options for filtering are here: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTQueryData 


action run REST docs: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTRunAction 

Custom functions are a bit harder as they don't report a status per playbook run so really you would need to handle the status output in a playbook for them, or turn them into app actions so the status output can be used. 

If this helped, please feel free to add karma and/or mark as a solution. 

Happy SOARing!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎06-22-2022 08:37 AM

@ss008i 

If you need instant then you will need to bake it into the playbook logic by checking the "status" output in a decision block after the action/function (you need to configure status output in function), and then "do something" if it fails. Worth doing for most actions anyway as best practise although I appreciate it may be time consuming, it's worth it in the long run. 

Another option is to have a playbook scheduled to run every x mins that uses REST to search for all action failures and then provide a report. 

action_run with filtering (/rest/action_run?_filter_status="failed") could be used for actions. Also consider a time and page limit on the rest call so you don't dedup. Options for filtering are here: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTQueryData 


action run REST docs: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTRunAction 

Custom functions are a bit harder as they don't report a status per playbook run so really you would need to handle the status output in a playbook for them, or turn them into app actions so the status output can be used. 

If this helped, please feel free to add karma and/or mark as a solution. 

Happy SOARing!

0 Karma
Reply
Solved! Jump to solution

ss008i
Engager
‎06-29-2022 01:31 AM

Thank you @phanTom - looks pretty much in line with what I expected - I will go with a hybrid version and use both sides of the solutions you mentioned. Regards

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...