Are you trying to install the most recent version of SOAR? If so, upgrade to postgresql 15 if you can. The documentation is unclear but that's essentially required for 6.3. We ran into trouble trying to upgrade with postgresql 12. I can only imagine 11 has problems as well. ... View more

Just to clarify the discussion I see here, everything under /opt/phantom should be owned by the phantom user. If any of the folders are owned by the root user instead of the phantom, SOAR may not run (or install in this case) properly. This is mentioned in the installation instructions but it's a single line toward the bottom and easy to miss. "Make sure you are logged in as the user meant to own the Splunk SOAR (On-premises) installation. Do not perform the installation command as the root user." Given how early you are in the process, it might just be best to start fresh rather than changing permissions on every folder. ... View more

My first thought is that the blocks downstream from the ansible block don't require it to complete, while the blocks downstream from the splunk block do. To check on this: Click on all downstream blocks For each, open the advanced dropdown in the left panel See if the Join Settings require the ansible/splunk blocks If you don't want the block to be required, uncheck the box here   To directly answer your title question, you can build your own error handling by placing a decision block after the splunk block to check whether splunk_block:action_results:status returns success or failed. If you take this approach and have the different branches reconnect at any point, you'll have to check the join settings because they will automatically require the splunk block to have completed even if your playbook previously followed the "failed" path. ... View more

Your best bet is going to be deciding which labels you want to set on certain containers. After that, you can set Label Permissions so roles don't have View permissions on labels they shouldn't see or be assigned to. ... View more

I wish I had a better answer for you, but after doing some testing, phantom.update() just doesn't seem to want to work from within a custom function. There are other functions which have the same problem but it's usually called out in the documentation.  What you've written works perfectly from within a custom code block in a playbook. You may just need to make a single block playbook you can call from a parent if you're planning to use this in multiple places. ... View more

What's your end goal with this? That would affect how I'd approach the problem. Do you want a playbook to take action based on this info, or is it some kind of audit? ... View more

I'm not familiar with the HTTP app so can't speak directly to this specific example, but I can answer your question at the end: Yes you are. The way callback works is it looks for another playbook block by that name, not a function defined within the same block. So what you can do is use the standard HTTP action block and move get_action_results to its own playbook block. SOAR will understand that you want to input the values from the action calling the callback. Looking at your reply on the other thread, something that may be helpful would be writing a loop to separate each URL and run through the process one by one. It's slower and more resource intensive, but that way you don't need to worry about keeping track of multiple results at once. ... View more

In my limited testing, SOAR doesn't seem to like handling custom functions within a single code block. It doesn't want to wait for the custom function to actually finish before moving on. For reference, first_code_block just calls a custom function and second_code_block runs phantom.completed() on that function. If you have to call the function from within a code block, you can add a callback. This will make sure the code doesn't move on until the run finishes. I wasn't able to get the callback to work on a second function within the same block. (One note on this: Phantom will call the last two lines of the code block before the custom function finishes) phantom.custom_function(... callback=second_code_block) The easiest method by far is to just put each custom function into their own block, then do whatever processing you need in a custom code block below. By default, SOAR will wait for any simultaneous blocks to finish before running the next step.   ... View more

I understand now. If the only thing you need to do is evaluate whether the user exists or not, and there are no actions you need to take down either branch, I'd say a simple custom code block is the way to go. Filter and decision blocks are more useful for deciding a path for the playbook to continue down. Something along the lines of if user exists: output_variable = True else: output_variable = False   ... View more

I can't speak to an app, but this sounds easy enough to do with the API. You'd need to build a way to loop through containers, pull the relevant date info, then decide which ones to delete. Some useful links # See the fields you're able to work with my_query_url = phantom.build_phantom_rest_url('container','[id]') my_response_json = phantom.requests.get(my_id_url, verify=False).json() phantom.debug(my_response_json)   ... View more

Unfortunately, according to the documentation, calling a playbook from within a custom function is not supported. What you could do instead is move the custom function into the playbook, then call the playbook anywhere you would have put the custom function. As for calling the playbook once for each deviceID, if you're getting them from an artifact field, you can plug that field in, and SOAR will loop through each value for you. ... View more

I suspect you were using the "send email" action. I wasn't able to find a good way to make links work with that. If you use the "send htmlemail" action, this will work. <a href="url">link text</a>   ... View more

I'm not entirely clear what the problem is here since you decide what the outputs are when building an input playbook. Working off your example, I would say it's better to have the input playbook determine whether the user exists, output that result, then make any decisions in the parent playbook. ... View more

This is a known issue in versions before 6.2, where it is fixed. Until you're able to upgrade, you have a couple of options: Ctrl+A on the output so the output is all highlighted Change to light theme Click your username in the upper right Account Settings Change Them to Light Theme ... View more

What sorts of results are you trying to post as a note? You can plug just about anything you want into a utility block calling the add note function. You can insert a format block just before the note block and use its formatted_data (not formatted_data.*) output to make it look nicer or combine info from different sources. ... View more

As of version 6 we're able to run playbooks when a container is closed. That's the easy part. Canceling running playbooks takes a few custom API calls.   # Pulls the id for this playbook. It shouldn't be hardcoded because the ID changes with each version and may not increment as expected my_id_url = phantom.build_phantom_rest_url('playbook') + '?_filter_name="my_playbook_name"' my_id_resp_json = phantom.requests.get(my_id_url, verify=False).json() my_id = my_id_resp_json['data'][0]['id'] # Runs a query to pull the audit data of the current container audit_url = phantom.build_phantom_rest_url('container', container_id, 'audit') audit_resp_json = phantom.requests.get(audit_url, verify=False).json() for i in audit_resp_json: # Looks for any playbook that has run in the container if i['AUDIT SOURCE'] == 'Playbook Run': # Runs a query to find details on each run runs_url = phantom.build_phantom_rest_url('playbook_run', i['AUDIT ID']) runs_resp_json = phantom.requests.get(runs_url, verify=False).json() # Finds any playbook that is currently running which isn't this one if runs_resp_json['status'] == 'running' and runs_resp_json['playbook'] != my_id: #Sends a POST to cancel any that match the above criteria cancel_url = phantom.build_phantom_rest_url('playbook_run', runs_resp_json['id']) cancel_post = phantom.requests.post(cancel_url, data='{"cancel":true}', verify=False) # If successful, up the succes count if cancel_post.status_code == 200: # Success else: # Failure   ... View more