Introduction to Splunk Phantom Playbooks. The recipient in the form of a user email address, username, or a role. When you pass action results, you can also pass in custom function results. Default is True. Succeeded or failed implies that the action is done. For example, if the asset is tagged critical and the action is block IP, the action is run only on assets that are tagged as critical. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Hi. About Splunk Phantom playbook automation APIs, Convert playbooks or custom functions from Python 2 to Python 3, topic Re: How to pass data from one playbook to its subplaybook in Splunk Phantom, Solved: Enable Summary Index Search from REST API, Solved: Re: Enable Summary Index Search from REST API. First, you’ll need to go through the Phantom Server Configuration page to connect Splunk to Phantom, which will require an automation user in Phantom. If phantom.debug is passed a Python list or a dictionary at any level of nesting, it decodes any unicode strings within that mutable object. Forgot Password | Register for Phantom. Set to False for evaluating conditions in a case-insensitive manner. Here is an example custom_function parameter from a custom function callback: When logging is enabled, the debug API lets the author debug as the playbook is being developed and tested. Set to False'for evaluating conditions in a case-insensitive manner. This is autogenerated by the VPE, but you can specify your own name from the configuration panel for the block using. The newest comprehensive resource from Splunk Training + Certification is here. When passing Boolean values to a decision block in the Visual Playbook Editor, true and false with lowercase letters, are interpreted as strings. See prompt. The status of the custom function that was run. Use playbooks to automate analyst workflows in Splunk Phantom. consider posting a question to Splunkbase Answers. Filtered artifacts that were returned from a preceding phantom.condition() block. Response types are a list of JSON objects. This is similar to a print() statement. It evaluates expressions and returns matching artifacts and actions results that evaluate as true. If set to false, the child playbook runs with the default playbook scope. The render_template API accepts a Django 1.11 template and fills the variable fields with contextual information from a provided dictionary. Please select This sample playbook shows calling a playbook from a playbook. 4.1 Create new Event Label in Phantom Splunk will send events to Phantom with this label. A standard phishing playbook built for Splunk Phantom may involve investigation actions that can be applied to a suspicious email such as investigate and geolocate IP addresses, and conduct reputation searches for IPs and domains. Filtered results that were returned from a preceding condition block. The discontinue API allows the users to stop executing further playbooks. The Splunk Phantom's playbook automation API allows security operations teams to develop detailed automation strategies. A specified callback function to be called upon completion of the action. This is the 4.1 branch of the Phantom Community Playbooks repository. The arguments are expressed and passed as a list of datapaths in the. If the action is executed on an asset that has primary approvers assigned or a reviewer specified, the action is not executed unless the primary approvers or reviewer approves the action. This parameter implies that the child playbook inherits the scope settings from the parent when called.