When using Splunk Phantom to process notable events from Splunk ES, a best practice is to validate that the playbook the analyst is running is the right one for that notable event and they are running it on the correct artifact. Here are two tips for doing just that:
Decision Block
At the beginning of your playbook, put a decision block that matches on the relevant field in the notable event. For example, if your playbook is for notables with the search_name
“My Search Name”, your decision block condition would be artifact:*.cef.search_name == My Search Name
. Off of the condition point would be the rest of your playbook, and you can also add an else
condition to send feedback to the analyst such as a comment or a prompt displaying the an error such as “Playbook canceled – Search name does not match”.
Filter Block
You can use a filter block to make sure the analyst is running the playbook only on the notable artifact. The condition in the filter block would look similar to the decision block condition, or could be as simple as checking that the search_name
field isn’t blank. The difference with the decision block is that now you use the filtered list of artifacts all throughout your playbook. For example, if you’re building a description for a ticket, instead of using the normal artifact:*.cef.whatever
you would select the filtered artifact list and it would look something like filtered-data:filter_x:condition_1:artifact:*.cef.whatever
. This avoids the issue where if there is more than one artifact, you get a list of values for the artifact fields such that artifact:*.cef.search_name
would be output as something like “My Search Name, None, None”.
Implementing either or both of these tips in your playbooks will dramatically reduce playbooks being run on the wrong notable events or artifacts. I’d love to hear any tips you’ve discovered or thoughts you have on this use case so feel free to leave a comment or hit me up in the Splunk Phantom community slack (@rplas).