Splunk® Phantom (Legacy)

Python Playbook Tutorial for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Develop, test, and deploy playbooks in Splunk Phantom

Playbooks can encode a very simple and repetitive set of simple actions OR can encode a very complex strategy to actively deal with a security breach or an incident. These strategies may be comprised of many actions combined to be executed either serially or in parallel.

Actions can be executed independent of each other (and hence in parallel) if they are called one after the other in a Playbook. However in order to execute them in sequence, either because there is a genuine dependency between two actions (parameters to action #2 are the output of action #1), action #1 has to specify a callback and in the callback of action #1, action #2 can be called.

In order to build these Playbooks and confidently deploy them, the platform supports the ability to debug them so that the author can see what the playbook is doing. Once the author is confident of the results and the Playbook is executing actions as expected, the Playbook can be saved. If the intention is to let the Playbook be executed in real time as new containers or artifacts are coming in, the Playbook has to be enabled.

Last modified on 29 April, 2020
Tutorial: Chain a series of actions in Splunk Phantom  

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters