Splunk® Phantom (Legacy)

Python Playbook Tutorial for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Tutorial: Specify assets in Splunk Phantom

This tutorial demonstrates how to run more complex actions within a playbook. In this example, you want to run actions on a specific asset. You can either specify the asset by its ID, or specify a tag to include all assets associated with that tag.

Specify assets by ID

To execute actions on specific assets, pass a list of asset IDs to the act() call.

import phantom.rules as phantom
import json

def list_vms_cb(action, success, container, results, handle):

    if not success:
        return

    return

def on_start(incident):

    phantom.act('list vms', assets=["vmwarevsphere"], callback=list_vms_cb)
    return

The function generates the following result when run in the playbook debugger:

2015-03-14T21:12:41.365000:  Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a]
2015-03-14T21:12:41.369000:  act(): Action 'list vms' shall be executed on assets: vmwarevsphere
2015-03-14T21:12:41.370000:  act(): action details: [list vms] parameters: [[]] assets: [vmwarevsphere] callback function: [list_vms_cb] and NO user specified for reviewing params
2015-03-14T21:12:41.385000:  act(): No action parameter review or asset approval requests generated.
2015-03-14T21:12:41.387000: Starting action 'list vms' on asset '28f81303-5982-451b-a833-1acdd191a763'
2015-03-14T21:12:41.410000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:12:42.130000: running: Loaded action execution configuration
2015-03-14T21:12:42.135000: running: Connecting to 10.10.0.40...
2015-03-14T21:13:08.769000: success: 1 of 1 action succeeded
2015-03-14T21:13:08.879000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:13:08.882000:  calling action callback function: list_vms_cb
 *** The Rule has completed. Result: success ***

Specify assets by tag

You can also pass a tag to the act() function. The action runs on all assets with that tag.

import phantom.rules as phantom
import json

def list_vms_cb(action, success, container, results, handle):

    if not success:
        return

    return

def on_start(incident):

    phantom.act('list vms', tags=["virtual"], callback=list_vms_cb)
    return

By using a tag, the list vms action runs on all assets tagged as virtual.

2015-03-14T21:21:52.723000:  Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a]
2015-03-14T21:21:52.737000:  act(): Warning: For action 'list vms' no assets were specified. The action shall execute on all matching assets
2015-03-14T21:21:52.760000:  act(): Action 'list vms' shall be executed on assets: vmwarevsphere, vmwarevsphere2
2015-03-14T21:21:52.760000:  act(): action details: [list vms] parameters: [[]] assets: [vmwarevsphere, vmwarevsphere2] callback function: [list_vms_cb] and NO user specified for reviewing params
2015-03-14T21:21:52.780000:  act(): No action parameter review or asset approval requests generated.
2015-03-14T21:21:52.794000: Starting action 'list vms' on asset '28f81303-5982-451b-a833-1acdd191a763'
2015-03-14T21:21:52.828000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:21:52.833000: Starting action 'list vms' on asset '5a776fff-37d7-4a34-a299-21354dff8c45'
2015-03-14T21:21:52.863000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:21:54.883000: running: Loaded action execution configuration
2015-03-14T21:21:54.890000: running: Connecting to 10.10.0.40...
2015-03-14T21:21:54.906000: running: Loaded action execution configuration
2015-03-14T21:21:54.912000: running: Connecting to 10.10.0.70...
2015-03-14T21:22:04.967000: success: 1 of 1 action succeeded
2015-03-14T21:22:05.097000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:22:20.325000: success: 1 of 1 action succeeded
2015-03-14T21:22:20.446000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:22:20.451000:  calling action callback function: list_vms_cb
 *** The Rule has completed. Result: success *** 
Last modified on 29 April, 2020
Tutorial: Create a simple playbook in Splunk Phantom   Tutorial: Specify parameters in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters