Add an Action block to a Splunk Phantom playbook
Perform the following steps to add an Action block to a playbook:
- Drag the half-circle icon attached to any existing block in the editor.
- Select Action from the list of block types. Actions available to you in the playbook editor are determined by the apps that are installed and configured in Splunk Phantom.
- Select the action you want to configure, or enter an action name in the search field if you don't see the desired action listed. You can also filter the list of actions by action type.
- Select investigate, generic, correct, or contain.
- Click By App to view a list of configured apps, and select an available action provided by the selected app.
- Select an asset that you want to run the action on. An asset is a specific configuration or instance of an app. In some cases, you may have multiple configurations for a specific app. For example, your environment may have multiple networks separated by firewalls, which require you to configure one instance of a specific app for each network.
- Select the field where you want to perform the asset. For example, an IPS event may have fields like sourceAddress and destinationAddress and the attack signature. When a container is created in Splunk Phantom, it has an artifact with fields for the sourceAddress and destinationAddress from the event.
- Select one of these fields to perform the action on.
- Click Save.
- Enter a comment about this action.
Configure linked parameters
Configure linked parameters in an Action block when you have multiple assets that share parameters with the same name. For example, you might have multiple assets configured that provide an action to create a ticket with a subject
parameter. In this case, the word "linked" appears above the subject field, indicating that the field is linked to another field with the same name in a different asset. If you change the value here, the value for the field changes in all assets.
If you need to have the field take separate values, create separate action blocks.
Settings
Follow these steps to configure the settings for an Action block:
- Click Settings.
- Select Info, Action, or Advanced.
Setting | Description |
---|---|
Info | Configure settings for this Action block.
|
Action | Configure the action settings that a user must perform.
|
Advanced | Description |
---|---|
Join Settings | You can configure Join settings when you have two blocks with callbacks both calling the same downstream block. Block types with callbacks are Action and Prompt. Configure Join settings from the downstream block. Click the required checkbox if the action in the upstream block must be completed before this downstream block is run. |
Artifact Scope | Select a value from the drop-down menu. The setting determines which artifacts are processed when the playbook block runs.
|
Add a new block to your Splunk Phantom playbook | Use filters to separate Splunk Phantom artifacts before further processing |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!