Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Search with action and playbook data in Splunk Mission Control

Write searches about actions and playbooks while investigating incidents in Splunk Mission Control. Splunk Mission Control uses automation functionality, including action and playbook runs, provided by Splunk SOAR (Cloud). See the following table of indexes to make sure you're using them correctly when using Splunk SOAR (Cloud) data in searches.

Index name Description When to use
phantom_action_run The Splunk index that is associated with Splunk SOAR action run data. To search for action run logs from Splunk SOAR
phantom_playbook_run The Splunk index that is associated with Splunk SOAR playbook run data. To search for playbook run logs from Splunk SOAR

If you can't search for action and playbook run logs from Splunk SOAR, you might need to add the phantom_action_run and phantom_playbook_run indexes to your role. See Manage indexes for roles in Splunk Mission Control.

If you deactivated the universal forwarder, you can't access Splunk SOAR logs including action run logs, playbook run logs, and audit logs. To use Splunk SOAR data in searches, turn on the universal forwarder.

For more information on playbooks and actions, see Automate incident response with playbooks and actions in Splunk Mission Control.

Example searches for actions and playbooks in Splunk Mission Control

Use these example searches to learn more about actions and playbooks in Splunk Mission Control.

Action run logs by specific action name

To get action run logs of a specific type of action, use the following search.

index="phantom_action_run"| search action="geolocate ip"

Action run logs by specific action ID

To get action run logs with a specific action id, use the following search.

index="phantom_action_run"| search id=1

Action run logs by specific status

To get action run logs with a specific status, use the following search.

index="phantom_action_run"| search status="success"

Action run logs by specific playbook run ID

To get action run logs from a specific playbook run id, use the following search.

index="phantom_action_run"| search playbook_run=123

Action run logs by specific playbook ID

To get action run logs from a specific playbook id, use the following search.

index="phantom_action_run"| search playbook=123

Playbook run logs by specific playbook ID

To get playbook run logs from a specific playbook id, use the following search.

index="phantom_playbook_run"| search playbook=123

Playbook run logs by specific playbook run ID

To get playbook run logs from a specific playbook run id, use the following search.

index="phantom_playbook_run"| search playbook_run=123

Last modified on 20 September, 2023
Search with response template data in Splunk Mission Control   Search audit data in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters