Splunk® Phantom (Legacy)

Build Playbooks with the Visual Editor

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Require user input to continue running the Splunk Phantom playbook

You can configure a task or prompt in your Splunk Phantom playbook that must be acknowledged by a user before further actions in the playbook are run. You can configure the following types of user input in a playbook:

  • A manual task using a Manual Task block that must be acknowledged by a user.
  • A prompt using a Prompt block that must be acknowledged by a user. You can configure a specific response type with a Prompt block.

Require user input using the Manual Task block in your playbook

Use a Manual Task block to send a message to a Splunk Phantom user or group that they must acknowledge. This is the same as manually running a task action from the Investigation menu.

To configure a manual task, perform the following tasks:

  1. Drop a new block onto the playbook editor.
  2. Click on the block, then select Manual Task from the block types.
  3. Select an Approver from the drop-down list. If the task is assigned to a group of users, the first user to process it completes the task.
  4. From the Required response time field, choose the response time in minutes.
  5. In the Message box, craft a meaningful message so the users receiving the message understand what actions they must take.

Require user input using the Prompt block in your playbook

Use a Prompt block in your playbook to send a message to a user or group that they must acknowledge.

To configure a prompt, perform the following tasks:

  1. Drop a new block onto the playbook editor.
  2. Click on the block, and then select Prompt from the block types.
  3. Select an Approver from the drop-down list. If the task is assigned to a group of users, the first user to process it completes the task.
  4. From the Required response time field, choose the response time in minutes.
  5. In the Message box, craft a meaningful message so the users receiving the message understand what actions they must take. Markdown is supported.
  6. From the Responses drop-down list, choose the type of response required to complete the task. If the response type is Message, markdown is supported.

See https://guides.github.com/features/mastering-markdown/ for more information on the type of Markdown that can be used in the Message box.

Settings

Follow these steps to configure the settings for a Prompt block:

  1. Click Settings.
  2. Select Info or Advanced.
Setting Description
Info Configure settings for this Prompt block.
  • Custom Name: The name for this format block. This name is visible in the playbook editor and also in Splunk Phantom wherever details about this action are visible.
  • Description: The Description field shows up as a code comment above the block definition.
  • Notes: The Notes field contents appear when you hover over the Note icon in the action block.
Advanced setting Description
Join Settings You can configure Join settings when you have two blocks with callbacks both calling the same downstream block. Block types with callbacks are Action and Prompt. Configure Join settings from the downstream block. Click the required checkbox if the action in the upstream block must be completed before this downstream block is run.
Artifact Scope Select a value from the drop-down menu. The setting determines which artifacts are processed when the playbook block runs.
  • Default matches the scope of the playbook.
  • New Artifacts processes only the artifacts that were defined since the block was last run.
  • All Artifacts includes all artifacts when the playbook block runs.
Delimiter Specify an alternate separator. If a datapath response contains a list, the default output separator is a comma ( , ). Spaces are not stripped from this field.

Use caution if you choose to use characters reserved for Markdown, such as an asterisk *, as a delimiter in this block type. These characters could be incorrectly interpreted as Markdown.

Drop None values Check this box to drop values of "None". By default, "None" values are included in the resulting string.
Last modified on 24 May, 2021
Customize the format of your Splunk Phantom playbook content   Set container parameters in Splunk Phantom using the API block

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10.4, 4.10.6, 4.10.7

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters