Use decisions to send Splunk Phantom artifacts to a specific downstream action

Use a Decision block to change the flow of artifacts by performing IF, ELSE IF, or ELSE functions. When an artifact meets a True condition, it is passed downstream to the corresponding block in the playbook flow. If none of the Decision block conditions are met, the playbook run fails.

If you wanted to create a playbook to identify whether an IP address is public or private, you could use the following logic in the decision block to identify private IP addresses.

• IF "artifact:*.cef.destinationAddress", "in", "10.0.0.0/8"
• ELSE IF "artifact:*.cef.destinationAddress", "in", "172.16.0.0/12"
• ELSE IF "artifact:*.cef.destinationAddress", "in", "192.168.0.0/16"
• ELSE geolocate ip

This identifies all private IP addresses and performs a geolocate action on public or invalid IP addresses.

The first time an artifact meets a condition, it is passed along to the corresponding downstream block. The artifact is no longer available for evaluation by other ELSE IF or ELSE statements, and cannot be passed to other downstream blocks. You can only perform one action on an artifact based on the condition that is matched first.

Unlike Filter blocks, no named datasets are created for reference later on in the playbook.

Create a Decision block in your playbook

To create Decision block, perform the following tasks:

1. Drag the half-circle icon attached to any existing block in the editor.
2. Select Decision from the list of block types.
3. Click the Select Parameter field and select the parameter you want to compare. Parameters are made available to the Decision block by upstream blocks.
4. Click the == field and select an operator for the decision.
5. Click the Select Value field and select the value you want to match. See Example of creating decisions for multiple downstream actions for an example of how these fields all work together.
6. (Optional) Click Add Else If to create another matching condition for the decision.
7. Click Add Else to create the final branch for the decision.

Settings

Follow these steps to configure the settings for a Decision block:

1. Click Settings.
2. Select Info or Advanced.

Example of creating decisions for multiple downstream actions

Decision blocks control the program flow based on comparisons of artifact data, notable properties, date functions, and action results. Create if and else if conditions to branch to multiple downstream blocks as a results of the comparisons.

In the following example, start with a Decision block that checks to see if any artifacts are in the notable. The image shows a decision block in the playbook editor.

1. Drag the half-circle icon attached to any existing block in the editor.
2. Select Decision from the list of block types.
3. In the If field, click the Select Parameter field and select a parameter to evaluate. You can choose from the properties provided by the container, event data, date and time options, and custom lists.
4. Select container properties from the list of options, and then click artifact_count as the property you want to evaluate.
5. Select > as the operator, and enter 0 in the Select Value field.

The blue circle next to the If section corresponds with the blue connector dot on the side of the decision block. All data is passed on to the next block.

Example of creating decisions with multiple statements

You can create more complex decision blocks with up to five statements. For example, you can perform a geolocate ip action on a source IP address and block the IP if the country is from North Korea. Otherwise, you can perform an ip reputation action on the IP address, as shown in the following screenshot:

Each subsequent statement and downstream block is color coded: blue marks the path of the If statement, and red marks the path of the Else statement. Each statement has its own and only one downstream block.