Splunk® Phantom (Legacy)

Python Playbook Tutorial for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Tutorial: Specify parameters in Splunk Phantom

Most actions require at least one parameter to function. Parameters are lists of dictionaries that are passed to the action. The specific action dictates the format and set of required parameters. Refer to the API documentation for the app you're leveraging to get the required parameters.

This example uses the WHOIS app to execute a simple WHOIS query. The WHOIS domain action requires one parameter: a domain name.

import phantom.rules as phantom
import json

def whois_domain_cb(action, success, container, results, handle):

    if not success:
        return

    return

def on_start(incident):

    params = [ { "domain": "phantom.us" },
               { "domain": "splunk.com" } ]
    
    phantom.act('whois domain', parameters=params, callback=whois_domain_cb)
    return

The playbook runs and produces results that you can view on the container detail screen or in Investigation in the WHOIS app.

2015-03-14T23:21:02.688000:  Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a]
2015-03-14T23:21:02.690000:  act(): Warning: For action 'whois domain' no assets were specified. The action shall execute on all matching assets
2015-03-14T23:21:02.704000:  act(): No assets found for action 'whois domain'.
2015-03-14T23:21:02.705000:  act(): action details: [whois domain] parameters: [[{"domain": "phantom.us"}, {"domain": "splunk.com"}]] assets: [] callback function: [whois_domain_cb] and NO user specified for reviewing params
2015-03-14T23:21:02.711000:  act(): No action parameter review or asset approval requests generated.
2015-03-14T23:21:02.712000: Starting action 'whois domain' on asset ''
2015-03-14T23:21:02.717000: running: The connector 'WHOIS App' started successfully. Execution parameters sent.
2015-03-14T23:21:02.970000: running: Loaded action execution configuration
2015-03-14T23:21:04.845000: success: 3 of 3 actions succeeded
2015-03-14T23:21:04.864000: Command 'whois domain' success. 3 of 3 actions succeeded
2015-03-14T23:21:04.869000:  calling action callback function: whois_domain_cb
 *** The Rule has completed. Result: success *** 

Dynamically build parameters from container data

Hard coding parameters into your scripts doesn't allow much flexibility. The key is to use data from a container and operate on it by using it as parameters to actions. You can extract data from the container itself either by directly indexing into the JSON elements or through the collect() call.

collect() uses data paths as a method to index into the JSON elements by searching for the appropriate key and retrieving the associated values. Data paths and collect() help simplify this.

In this example, you have an incident with some artifacts that have domain names in them within the Common Event Format (CEF) structure. You can use the following function to extract all domain names.

import phantom.rules as phantom
import json

def whois_domain_cb(action, success, container, results, handle):

    if not success:
        return

    return

def on_start(incident):

    params = []

    hosts = phantom.collect(incident, 'artifact:*.cef.sourceDnsDomain', 'all', 100)
    for host in hosts:
        params.append({ 'domain': host })     

    phantom.act('whois domain', parameters=params, callback=whois_domain_cb)
    return

Example result:

2015-03-14T23:51:36.309000:  Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a]
2015-03-14T23:51:36.336000:  act(): Warning: For action 'whois domain' no assets were specified. The action shall execute on all matching assets
2015-03-14T23:51:36.345000:  act(): No assets found for action 'whois domain'.
2015-03-14T23:51:36.345000:  act(): action details: [whois domain] parameters: [[{"domain": "phantom.us"}, {"domain": "splunk.com"}]] assets: [] callback function: [whois_domain_cb] and NO user specified for reviewing params
2015-03-14T23:51:36.357000:  act(): No action parameter review or asset approval requests generated.
2015-03-14T23:51:36.359000: Starting action 'whois domain' on asset ''
2015-03-14T23:51:36.394000: running: The connector 'WHOIS App' started successfully. Execution parameters sent.
2015-03-14T23:51:36.852000: running: Loaded action execution configuration
2015-03-14T23:51:38.103000: success: 3 of 3 actions succeeded
2015-03-14T23:51:38.116000: Command 'whois domain' success. 3 of 3 actions succeeded
2015-03-14T23:51:38.121000:  calling action callback function: whois_domain_cb
 *** The Rule has completed. Result: success *** 
Last modified on 21 January, 2021
Tutorial: Specify assets in Splunk Phantom   Tutorial: Chain a series of actions in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters