After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Use a datapath in
You can use a datapath as an argument with a slash command. This makes slash commands flexible and powerful. Use the /inspect
command to get the datapath to use with other slash commands.
Datapaths
A datapath is a series of names, keywords, attributes, and wildcards that evaluates to a list of values. These values can be attributes of artifacts or action results.
A datapath is described using this format:
<type>:<path.to.value_name>
Example of a datapath for an artifact attribute:
artifact:*.ip
Artifacts are indexed by their common event format (CEF) data so only CEF data is available to use in datapaths. You cannot access other fields such as label
or description
.
Example of a datapath for action results:
action_result:data.*.longitude
For more information on datapaths, see collect in the Python Playbook API Reference for .
Use the /inspect command
Use the /inspect
command to examine artifacts and to look for datapaths you want to use with another slash command.
See the following example:
Examine an artifact to see if it has IP addresses in its CEF data.
/inspect artifact:*
The above example returns the following:
{u'ip': u'2.2.2.2'} {u'ip': u'1.1.1.1'}
Because there is IP information in the artifact, you can access that information in another command with a datapath.
/action whois_ip "WHOIS" artifact:*.ips.*
See the following example:
Examine an action_run
.
/inspect action_run:1
JSON formatted action run information.
{ "comment": "", "node_guid": "d7c64d0f-fd0b-4d0b-8c68-34704ee91247", "playbook_run": null, "exec_order": null, "_pretty_owner": "admin", "creator": 1, "_pretty_undo": null, "assign_time": null, "create_time": "2019-12-12T00:32:20.600117Z", "playbook": null, "_pretty_playbook": "", "owner": 1, "message": "1 action succeeded", "action": "geolocate ip", "close_time": "2019-12-12T00:32:21.059521Z", "exec_delay_secs": 0, "container": 78, "_pretty_update_time": "17 minutes ago", "_pretty_has_app_runs": true, "id": 2, "targets": [ { "app_id": 118, "parameters": [ { "ip": "115.249.247.26" } ], "assets": [ 2 ] } ], "due_time": "2019-12-11T21:59:05.213705Z", "version": 1, "type": "investigate", "status": "success", "update_time": "2019-12-12T00:32:21.059521Z", "handle": null, "_pretty_close_time": "17 minutes ago", "_pretty_container": "ASN Transaction", "_pretty_creator": "admin", "ip_address": "10.26.96.21", "_pretty_due_time": "Yesterday at 09:59 PM", "name": "user initiated geolocate ip action", "_pretty_redo": true, "_pretty_create_time": "17 minutes ago", "cancelled": null, "cb_fn": null }
See the following example:
Get a list of all app_runs
.
/inspect app_run:*.id
Returns:
4 7 6 5 8
You can use these app_run
IDs with other commands or REST API calls.
Update or edit an event in |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0
Feedback submitted, thanks!