Develop, test, and deploy playbooks in Splunk Phantom
Playbooks can encode a very simple and repetitive set of simple actions OR can encode a very complex strategy to actively deal with a security breach or an incident. These strategies may be comprised of many actions combined to be executed either serially or in parallel.
Actions can be executed independent of each other (and hence in parallel) if they are called one after the other in a Playbook. However in order to execute them in sequence, either because there is a genuine dependency between two actions (parameters to action #2 are the output of action #1), action #1 has to specify a callback and in the callback of action #1, action #2 can be called.
In order to build these Playbooks and confidently deploy them, the platform supports the ability to debug them so that the author can see what the playbook is doing. Once the author is confident of the results and the Playbook is executing actions as expected, the Playbook can be saved. If the intention is to let the Playbook be executed in real time as new containers or artifacts are coming in, the Playbook has to be enabled.
Tutorial: Chain a series of actions in Splunk Phantom |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!