I managed to get this sorted out. With the way SOAR handles IDs, it's easiest to update workbooks as a whole than trying to focus on specific phases or tasks. To that end, when pulling your workbooks, you'll want to get [base_url]/workbook_template?page_size=0  [base_url]/workbook_phase_template?page_size=0. Since they're stored separately you'll then want to stich the workbooks and phases together using the phases' template value. This is the same as its parent workbook's ID. Including some fields in your push can cause SOAR to reject the changes (usually with a 404 error). Workbooks (the top level): name, description, is_default, is_note_required, phases.  Phases (the middle level): name, order, and tasks. Tasks (bottom level): name, description, order, owner, role, sla, and suggestions. Delete I overcomplicated this for myself. A simple REST delete request to [base_url]/rest/workbook_template/[ID] will delete the workbook. Create Post your json with the required fields to [base_url]/rest/workbook_template. It's important to note there is no ID. Update Post your full json with the required fields for the workbook you're changing to [base_url]/rest/workbook_template/[ID]. SOAR is intelligent enough to recognize what the changes are and just update those pieces. ... View more

This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared.  import urllib.parse #This line won't change between different searches base_url = "[splunk URL]/en-US/app/SplunkEnterpriseSecuritySuite/search?q=" #This should be dynamically built with whatever you're searching for. my_search = "index=* | stats count by index" #This is optional, Splunk will use your default if you don't include it #Times should be epoch format time_range = f'&earliest={[start]}&latest={[end]}' #Urllib parse is required. It's the difference between "index=* | stats count by index" (human readable) and "index%3D%2A%20..." (working URL) full_url = base_url + urllib.parse.quote(my_search) + time_range   ... View more

If you have more than a small number of prompts at a time, you need to change how your playbooks are working. Speaking from experience, that will lead to things being missed and waiting for too long. To answer your question, you could try changing your link to point at the container holding the prompt instead of the prompt on its own.  That would look something like https://10.250.74.118:8443/mission/[number]/analyst/approvals    ... View more

cd /opt/phantom/bin sudo su phantom ./start_phantom.sh ... View more

We didn't end up going this route since there are fairly long stretches of time where the check would be running unnecessarily, and it wouldn't have the immediate effect which is necessary for incident response (our main use case for this question). We did, however, keep another piece of @phanTom wisdom in mind. "There are many ways to do things in SOAR, just depends how janky you want to get!" We ended up creating a new subplaybook to go at the beginning of those playbooks likely to be affected by missing the fields: Check if an artifact with the required fields exists If it does, continue with the rest of the parent as normal If not, do the following Use the Phantom app to add an artifact with the required fields Create a custom code block which uses multiple API operations to Get the subplaybook's own ID This is necessary since that number changes any time you edit the PB Get the audit data from the container Pull the json of the currently running subplaybook to get its parent's name and ID runs_resp_json['misc']['parent_playbook_run']['parent_playbook_name'] runs_resp_json['misc']['parent_playbook_run']['parent_playbook_run_id'] Use parent_playbook_name to call a new instance of the parent playbook SOAR treats a PB called via API as independent while those called via block are children This step is needed so the parent playbook interacts with the newly created artifact normally (we ran into problems referencing an artifact created within the same PB run) Use parent_playbook_run_id to cancel the original run since it's likely to run into the problem mentioned above This must come at the very end since cancelling the parent cancels any children, including the playbook running this code ... View more

Working with just this example, the same applies across the board. get_device_trajectory_2:action_result.data.*.events.*.file.parent.file_name .data.*.events.*. is most likely your problem. Every time your filter block hits a true, you're telling your format block to pull in all of the file names in the event data from get_device_trajectory_2. You'll need to find a way to tell it to only pull in the information from the index of the item you care about. Something like  get_device_trajectory_2:action_result.data.*.events.X.file.parent.file_name​ where X is the item in the list that evaluated true. ... View more

If you use external source control (such as gitlab), this is fairly easy. You can pull down the repo then parse through all of the .json files. Anytime a playbook calls another, it's added to the json with the key "playbookName". My quick and dirty powershell code was once I cloned the repo was  Get-ChildItem -Path "[repo path]\*.json" -Recurse | Select-String -Pattern "[playbookName]" -AllMatches | Select-Object -Property Line | Export-Csv -Path [csv path].csv   It's a little tougher if you don't have that easily accessible externally. My best guess (which I haven't personally tested) would be to use the API to loop through every playbook by id, then parse your way down  to that playbookName and count it. Make sure you don't stop at the first match, as there's a chance more than one subplaybook is called. ... View more