Splunk® SOAR (On-premises)

Python Playbook Tutorial for Splunk SOAR (On-premises)

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Tutorial: Specify assets in

This tutorial demonstrates how to run more complex actions within a playbook. In this example, you want to run actions on a specific asset. You can either specify the asset by its ID, or specify a tag to include all assets associated with that tag.

Specify assets by ID

To execute actions on specific assets, pass a list of asset IDs to the act() call. 

import phantom.rules as phantom
import json

def list_vms_cb(action, success, container, results, handle):

    if not success:
        return

    return

def on_start(incident):

    phantom.act('list vms', assets=["vmwarevsphere"], callback=list_vms_cb)
    return

The function generates the following result when run in the playbook debugger: 

2015-03-14T21:12:41.365000:  Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a]
2015-03-14T21:12:41.369000:  act(): Action 'list vms' shall be executed on assets: vmwarevsphere
2015-03-14T21:12:41.370000:  act(): action details: [list vms] parameters: [[]] assets: [vmwarevsphere] callback function: [list_vms_cb] and NO user specified for reviewing params
2015-03-14T21:12:41.385000:  act(): No action parameter review or asset approval requests generated.
2015-03-14T21:12:41.387000: Starting action 'list vms' on asset '28f81303-5982-451b-a833-1acdd191a763'
2015-03-14T21:12:41.410000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:12:42.130000: running: Loaded action execution configuration
2015-03-14T21:12:42.135000: running: Connecting to 10.10.0.40...
2015-03-14T21:13:08.769000: success: 1 of 1 action succeeded
2015-03-14T21:13:08.879000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:13:08.882000:  calling action callback function: list_vms_cb
 *** The Rule has completed. Result: success ***

Specify assets by tag

You can also pass a tag to the act() function. The action runs on all assets with that tag. 

import phantom.rules as phantom
import json

def list_vms_cb(action, success, container, results, handle):

    if not success:
        return

    return

def on_start(incident):

    phantom.act('list vms', tags=["virtual"], callback=list_vms_cb)
    return

By using a tag, the list vms action runs on all assets tagged as virtual. 

2015-03-14T21:21:52.723000:  Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a]
2015-03-14T21:21:52.737000:  act(): Warning: For action 'list vms' no assets were specified. The action shall execute on all matching assets
2015-03-14T21:21:52.760000:  act(): Action 'list vms' shall be executed on assets: vmwarevsphere, vmwarevsphere2
2015-03-14T21:21:52.760000:  act(): action details: [list vms] parameters: [[]] assets: [vmwarevsphere, vmwarevsphere2] callback function: [list_vms_cb] and NO user specified for reviewing params
2015-03-14T21:21:52.780000:  act(): No action parameter review or asset approval requests generated.
2015-03-14T21:21:52.794000: Starting action 'list vms' on asset '28f81303-5982-451b-a833-1acdd191a763'
2015-03-14T21:21:52.828000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:21:52.833000: Starting action 'list vms' on asset '5a776fff-37d7-4a34-a299-21354dff8c45'
2015-03-14T21:21:52.863000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:21:54.883000: running: Loaded action execution configuration
2015-03-14T21:21:54.890000: running: Connecting to 10.10.0.40...
2015-03-14T21:21:54.906000: running: Loaded action execution configuration
2015-03-14T21:21:54.912000: running: Connecting to 10.10.0.70...
2015-03-14T21:22:04.967000: success: 1 of 1 action succeeded
2015-03-14T21:22:05.097000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:22:20.325000: success: 1 of 1 action succeeded
2015-03-14T21:22:20.446000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:22:20.451000:  calling action callback function: list_vms_cb
 *** The Rule has completed. Result: success ***
Last modified on 22 September, 2021
PREVIOUS
Tutorial: Create a simple playbook in 		  NEXT
Tutorial: Specify parameters in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters