Splunk® SOAR (On-premises)

Python Playbook Tutorial for Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Tutorial: Specify assets in

This tutorial demonstrates how to run more complex actions within a playbook. In this example, you want to run actions on a specific asset. You can either specify the asset by its ID, or specify a tag to include all assets associated with that tag.

Specify assets by ID

To execute actions on specific assets, pass a list of asset IDs to the act() call.

import phantom.rules as phantom
import json

def list_vms_cb(action, success, container, results, handle):

    if not success:
        return

    return

def on_start(incident):

    phantom.act('list vms', assets=["vmwarevsphere"], callback=list_vms_cb)
    return

The function generates the following result when run in the playbook debugger:

2015-03-14T21:12:41.365000:  Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a]
2015-03-14T21:12:41.369000:  act(): Action 'list vms' shall be executed on assets: vmwarevsphere
2015-03-14T21:12:41.370000:  act(): action details: [list vms] parameters: [[]] assets: [vmwarevsphere] callback function: [list_vms_cb] and NO user specified for reviewing params
2015-03-14T21:12:41.385000:  act(): No action parameter review or asset approval requests generated.
2015-03-14T21:12:41.387000: Starting action 'list vms' on asset '28f81303-5982-451b-a833-1acdd191a763'
2015-03-14T21:12:41.410000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:12:42.130000: running: Loaded action execution configuration
2015-03-14T21:12:42.135000: running: Connecting to 10.10.0.40...
2015-03-14T21:13:08.769000: success: 1 of 1 action succeeded
2015-03-14T21:13:08.879000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:13:08.882000:  calling action callback function: list_vms_cb
 *** The Rule has completed. Result: success ***

Specify assets by tag

You can also pass a tag to the act() function. The action runs on all assets with that tag.

import phantom.rules as phantom
import json

def list_vms_cb(action, success, container, results, handle):

    if not success:
        return

    return

def on_start(incident):

    phantom.act('list vms', tags=["virtual"], callback=list_vms_cb)
    return

By using a tag, the list vms action runs on all assets tagged as virtual.

2015-03-14T21:21:52.723000:  Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a]
2015-03-14T21:21:52.737000:  act(): Warning: For action 'list vms' no assets were specified. The action shall execute on all matching assets
2015-03-14T21:21:52.760000:  act(): Action 'list vms' shall be executed on assets: vmwarevsphere, vmwarevsphere2
2015-03-14T21:21:52.760000:  act(): action details: [list vms] parameters: [[]] assets: [vmwarevsphere, vmwarevsphere2] callback function: [list_vms_cb] and NO user specified for reviewing params
2015-03-14T21:21:52.780000:  act(): No action parameter review or asset approval requests generated.
2015-03-14T21:21:52.794000: Starting action 'list vms' on asset '28f81303-5982-451b-a833-1acdd191a763'
2015-03-14T21:21:52.828000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:21:52.833000: Starting action 'list vms' on asset '5a776fff-37d7-4a34-a299-21354dff8c45'
2015-03-14T21:21:52.863000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:21:54.883000: running: Loaded action execution configuration
2015-03-14T21:21:54.890000: running: Connecting to 10.10.0.40...
2015-03-14T21:21:54.906000: running: Loaded action execution configuration
2015-03-14T21:21:54.912000: running: Connecting to 10.10.0.70...
2015-03-14T21:22:04.967000: success: 1 of 1 action succeeded
2015-03-14T21:22:05.097000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:22:20.325000: success: 1 of 1 action succeeded
2015-03-14T21:22:20.446000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:22:20.451000:  calling action callback function: list_vms_cb
 *** The Rule has completed. Result: success *** 
Last modified on 08 March, 2023
Tutorial: Create a simple playbook in   Tutorial: Specify parameters in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters