Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to schedule a Phantom playbook to run at specific intervals?

AlexBryant
Path Finder
‎12-03-2019 10:21 AM

I have completed Phantom playbook that I need to run every 5 minutes. I know that the Timer app can be used to schedule playbook execution by generating events on a preset schedule, but how would a set up two separate schedules for two separate playbooks - say, one that runs every 5 minutes and one that runs hourly? Do I set up two Timer assets and somehow add identifying characteristics to differentiate the events that each asset will generate?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phantom_mhike
SplunkTrust
SplunkTrust
‎12-03-2019 10:59 AM

In the past I have created timers for these that generate containers and each of the timer assets apply a label to the containers that indicate their schedule ie. "scheduled-hourly" for a timer that generates every hour or "scheduled-daily", "scheduled-5min" etc. The different labels make it easy to apply playbooks to them as well as identify where the containers came from when looking at the analyst queue.

View solution in original post

Reply
Solved! Jump to solution
Solution

phantom_mhike
SplunkTrust
SplunkTrust
‎12-03-2019 10:59 AM

In the past I have created timers for these that generate containers and each of the timer assets apply a label to the containers that indicate their schedule ie. "scheduled-hourly" for a timer that generates every hour or "scheduled-daily", "scheduled-5min" etc. The different labels make it easy to apply playbooks to them as well as identify where the containers came from when looking at the analyst queue.

Reply
Solved! Jump to solution

AlexBryant
Path Finder
‎12-04-2019 08:26 AM

That worked! It took a few minutes to figure out how to implement it, so I'll post the details for others. Go into Administration --> Event Settings --> Label Settings. Add a new label with a meaningful name like "timer_5_minutes". In the Timer app, add a new asset, and in the ingest settings, set it to run on the appropriate schedule (in this case, every 5 minutes), and set the 'Label To Apply' to be the label added above in administration. Now, there's an asset in Timer that will run every 5 minutes and create an event called timer_5_minutes. In your playbook settings, set the "Operates On" value to also be "timer_5_minutes"...the playbook will now run every time the Timer app creates one of these events, and will execute according to your schedule.

Reply
Solved! Jump to solution

satishclarios
New Member
‎05-28-2020 08:44 AM

@AlexBryant Thank you for detail explanation

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...