Skip to main content
Splunk® SOAR (On-premises)

Python Playbook Tutorial for Splunk SOAR (On-premises)

Splunk® SOAR (On-premises)
5.3.3
As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:

Tutorial: Create a simple playbook in Splunk SOAR (On-premises)

One of the simplest examples of a playbook is one that executes a single action and does nothing with the results. The following geolocate ip action is one such example: 

import phantom.rules as phantom

def on_start(container):

    phantom.act(action="geolocate ip",
                parameters=[{'ip': "1.1.1.1"}])

def on_finish(container, summary):
    return

The only parameter required by the geolocate ip action is provided with a hard-coded value. Because you haven't specified an asset or an asset tag to operate on, Splunk SOAR (On-premises) finds all assets that have a supporting app which support the geolocate ip action and runs the action against each of them. In a default Splunk SOAR (On-premises) installation, this will only use the MaxMind app, but other possibilities include services like FreeGeoIP and HackerTarget.

Incorporate a callback

The previous example executed the first action. While it queried MaxMind for the location of an IP address, it didn't leverage the results or take any further action. Because Splunk SOAR (On-premises) runs all actions asynchronously to minimize waiting periods, you must incorporate a callback function to parse the results and act on the location information discovered by the geolocate ip action.

To incorporate a callback, pass the callback parameter to the act() function with a callback function that receives these results. The following example shows how to incorporate a callback:

Expand

Example

For more information about the callback function, see callback in the Python Playbook API Reference for Splunk SOAR (On-premises).

Insert debug statements

Add the debug() function to insert debug statements that you can see when running your playbook on a container. The following example demonstrates how to insert debug statements:

Expand

Example

Perform final actions

After the playbook runs and all actions finish executing, call the on_finish() handler to perform any final actions. For example, you might send a summary email, close an incident, or update a ticketing system with a status.

The following example shows how to incorporate an on_finish() handler:

Expand

Example

Last modified on 08 March, 2023
Common API calls used by the Visual Playbook Editor   Tutorial: Specify assets in Splunk SOAR (On-premises)

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters