Run an action in
Analysts can use the /action
command to quickly run one of the actions supports.
Actions run with /action
are the same actions that are found in the Run Action dialog box, but the names of the actions are formatted with underscores ( _ ) instead of spaces. For example, the action geolocate ip
becomes geolocate_ip
.
The Run Action dialog box guides you through selecting the information an action requires. Using the command line interface requires you to provide the same information as arguments to the /action
command.
When you type /action
in the comment field of the activity sidebar, a tooltip-style dialog appears to guide you through adding arguments, or you can use the --help
argument to get a message with help information as shown here:
/action geolocate_ip "MaxMind" --help
PhBot returns the following help message:
usage: /action geolocate_ip [app] <required arguments> [--asset asset...] [--optional arguments] Queries MaxMind for IP location info required arguments: ip IP to geolocate
The command-line interpreter validates arguments with the /action
command. Incorrect arguments generate an error message to help you fix the arguments as shown in the following example:
/action whois_domain "WHOIS" splunk.com
The following error message is returned for the example:
/action whois_ip "WHOIS" a.b.not_an_ip
Use a list with the /action command
You can perform actions on lists of items by passing the list as an argument as shown in the following example:
/action geolocate_ip "MaxMind" ["1.1.1.1", "2.2.2.2"]
Lists must be presented in valid Python syntax, so individual items must be in quotation marks ( " ).
Passing the /action
command multiple lists or datapaths, or a mix of lists and datapaths, results in a product. For example, [1, 2] [3, 4]
results in four action runs: (1, 3), (1, 4), (2, 3),
and (2, 4)
.
command-line interface overview | Run a playbook in |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!