Splunk® Phantom (Legacy)

Build Playbooks with the Visual Editor

Acrobat logo Download manual as PDF


Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.
Acrobat logo Download topic as PDF

Customize the format of your Splunk Phantom playbook content

Use the Format block to craft custom strings and messages from various objects.

You might consider using a Format block to put together the body text for creating a ticket or sending an email. Imagine you have a playbook set to run on new containers and artifacts that does a basic lookup of source IP address artifacts. You want to take the results of that lookup, format the results, and send the information as an email. You craft your playbook so that the action results are available to the format block.

To configure a Format block, perform the following steps:

  1. Create a new block in the Visual Playbook Editor (VPE).
  2. Select Format from the list of block types.
  3. Configure the template parameter variables in the Template Parameters field. The first variable is identified as {0}, the next as {1}, and so on. You can select any event and container properties. You can also select data from any upstream block.
  4. In the Template field, craft a message using the variables you define.

Settings

Follow these steps to configure the settings for a Format block:

  1. Click Settings.
  2. Select Info or Advanced.
Setting Description
Info Configure settings for this Format block.
  • Custom Name: The name for this format block. This name is visible in the playbook editor and also in Splunk Phantom wherever details about this action are visible.
  • Description: The Description field shows up as a code comment above the block definition.
  • Notes: The Notes field contents appear when you hover over the Note icon in the action block.
Advanced setting Description
Join Settings You can configure Join settings when you have two blocks with callbacks both calling the same downstream block. Block types with callbacks are Action and Prompt. Configure Join settings from the downstream block. Click the required checkbox if the action in the upstream block must be completed before this downstream block is run.
Artifact Scope Select a value from the drop-down menu. The setting determines which artifacts are processed when the playbook block runs.
  • Default matches the scope of the playbook.
  • New Artifacts processes only the artifacts that were defined since the block was last run.
  • All Artifacts includes all artifacts when the playbook block runs.
Delimiter Specify an alternate separator. If a datapath response contains a list, the default output separator is a comma ( , ). Spaces are not stripped from this field.

Use caution if you choose to use characters reserved for Markdown, such as an asterisk *, as a delimiter in this block type. These characters could be incorrectly interpreted as Markdown.

Drop None values Check this box to drop values of "None". By default, "None" values are included in the resulting string.

Example of defining a template

This example defines a template in the following manner: 

IP address: {0}
IP address country: {1}
IP address reputation: {2}

The message returned as a result of this template looks like the following: 

IP address: 1.2.3.4
IP address country: United States
IP address reputation: Malicious

If multiple events are picked up at the same time, you see the following message: 

IP address: 1.2.3.4, 10.11.12.13
IP address country: United States, Turkey
IP address reputation: Malicious

You can wrap %% around a formatting block to make each set of values output on its own line. For example: 

%%
The IP address {0} originates from {1}.
%%

Wrapping %% around a formatting block produces results like the following: 

The IP address 1.2.3.4 originates from United States.
The IP address 10.11.12.13 originates from Turkey.

Example of using the Python str.format() function to create more advanced templates

More complicated formatting is supported using all the capabilities of the Python str.format() function. The following template demonstrates double curly brackets to support curly bracket escaping, automatic escaping of backslashes and quotes, and centered string alignment with a custom filler character: 

JSON Formatting:
{{"notable_id":"{0}","event_count":{1}}}

Backslashes and quotes are escaped:
"ls /Applications/System \Preferences.app/"

Python formatting is supported:
|{0:-^50}|{1:-^50}|
|{2:-^50}|{3:-^{3}{2}{1}{3}{2}{1}50}|

The template produces output as in the following example: 

JSON Formatting: 
{"notable_id":  "1004", "event_count": 10}

Backslashes and quotes are escaped:
"ls /Applications/System \Preferences.app/"

Python formatting is supported:
|-----------------------1004-----------------------|-----------------------10-----------------------|
|----------------------events----------------------|-------Zeus infection on HQ finance server------|

If a new line is needed, use \n.

Last modified on 24 May, 2021
PREVIOUS
Use decisions to send Splunk Phantom artifacts to a specific downstream action 		  NEXT
Require user input to continue running the Splunk Phantom playbook

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10.4, 4.10.6, 4.10.7

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters