Splunk® Phantom (Legacy)

Build Playbooks with the Visual Editor

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Add an Action block to a Splunk Phantom playbook

Perform the following steps to add an Action block to a playbook:

  1. Drag the half-circle icon attached to any existing block in the editor.
  2. Select Action from the list of block types. Actions available to you in the playbook editor are determined by the apps that are installed and configured in Splunk Phantom.
  3. Select the action you want to configure, or enter an action name in the search field if you don't see the desired action listed. You can also filter the list of actions by action type.
  4. Select investigate, generic, correct, or contain.
  5. Click By App to view a list of configured apps, and select an available action provided by the selected app.
  6. Select an asset that you want to run the action on. An asset is a specific configuration or instance of an app. In some cases, you may have multiple configurations for a specific app. For example, your environment may have multiple networks separated by firewalls, which require you to configure one instance of a specific app for each network.
  7. Select the field where you want to perform the asset. For example, an IPS event may have fields like sourceAddress and destinationAddress and the attack signature. When a container is created in Splunk Phantom, it has an artifact with fields for the sourceAddress and destinationAddress from the event.
  8. Select one of these fields to perform the action on.
  9. Click Save.
  10. Enter a comment about this action.

Configure linked parameters

Configure linked parameters in an Action block when you have multiple assets that share parameters with the same name. For example, you might have multiple assets configured that provide an action to create a ticket with a subject parameter. In this case, the word "linked" appears above the subject field, indicating that the field is linked to another field with the same name in a different asset. If you change the value here, the value for the field changes in all assets.

If you need to have the field take separate values, create separate action blocks.

Settings

Follow these steps to configure the settings for an Action block:

  1. Click Settings.
  2. Select Info, Action, or Advanced.
Setting Description
Info Configure settings for this Action block.
  • Custom Name: The name for this action block. This name is visible in the playbook editor and also in Splunk Phantom wherever details about this action are visible.
  • Description: The Description field shows up as a code comment above the block definition.
  • Notes: The Notes field contents appear when you hover over the Note icon in the action block.
Action Configure the action settings that a user must perform.
  • Reviewer: Select a user or group that must approve this action before the action runs. If you select a group or role, any user in that role can approve the action.
  • Delay Timer: Set a delay in minutes before the action runs. A clock icon is visible on the action block to show that a delay is configured.
Advanced Description
Join Settings You can configure Join settings when you have two blocks with callbacks both calling the same downstream block. Block types with callbacks are Action and Prompt. Configure Join settings from the downstream block. Click the required checkbox if the action in the upstream block must be completed before this downstream block is run.
Artifact Scope Select a value from the drop-down menu. The setting determines which artifacts are processed when the playbook block runs.
  • Default matches the scope of the playbook.
  • New Artifacts processes only the artifacts that were defined since the block was last run.
  • All Artifacts includes all artifacts when the playbook block runs.
Last modified on 20 May, 2021
Add a new block to your Splunk Phantom playbook   Use filters to separate Splunk Phantom artifacts before further processing

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters