Splunk SOAR (f.k.a. Phantom)

Splunk Phantom Error Reporting- How to monitor the execution of a Phantom Playbook

ss008i
Engager

Hello,

I am trying to find a native solution in order to monitor the execution of a Phantom Playbook. In case one of the actions fail, or a specific message/data is returned by a custom function, does anyone a possibility to make a general/native configuration, so that an admin will receive an instant email message with the error/playbook that ran/ etc?

I am aware of the api 'error' and 'discontinue' methods, but it will mean to add this kind of checks at each step of the playbook ...

Greatly appreciate your ideas!

0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@ss008i 

If you need instant then you will need to bake it into the playbook logic by checking the "status" output in a decision block after the action/function (you need to configure status output in function), and then "do something" if it fails. Worth doing for most actions anyway as best practise although I appreciate it may be time consuming, it's worth it in the long run. 

Another option is to have a playbook scheduled to run every x mins that uses REST to search for all action failures and then provide a report. 

action_run with filtering (/rest/action_run?_filter_status="failed") could be used for actions. Also consider a time and page limit on the rest call so you don't dedup. Options for filtering are here: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTQueryData 


action run REST docs: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTRunAction 

Custom functions are a bit harder as they don't report a status per playbook run so really you would need to handle the status output in a playbook for them, or turn them into app actions so the status output can be used. 

If this helped, please feel free to add karma and/or mark as a solution. 

Happy SOARing!

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@ss008i 

If you need instant then you will need to bake it into the playbook logic by checking the "status" output in a decision block after the action/function (you need to configure status output in function), and then "do something" if it fails. Worth doing for most actions anyway as best practise although I appreciate it may be time consuming, it's worth it in the long run. 

Another option is to have a playbook scheduled to run every x mins that uses REST to search for all action failures and then provide a report. 

action_run with filtering (/rest/action_run?_filter_status="failed") could be used for actions. Also consider a time and page limit on the rest call so you don't dedup. Options for filtering are here: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTQueryData 


action run REST docs: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlatformAPI/RESTRunAction 

Custom functions are a bit harder as they don't report a status per playbook run so really you would need to handle the status output in a playbook for them, or turn them into app actions so the status output can be used. 

If this helped, please feel free to add karma and/or mark as a solution. 

Happy SOARing!

0 Karma

ss008i
Engager

Thank you @phanTom - looks pretty much in line with what I expected - I will go with a hybrid version and use both sides of the solutions you mentioned. Regards

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...