Tag Archives: playbooks

When using Splunk Phantom to process notable events from Splunk ES, a best practice is to validate that the playbook the analyst is running is the right one for that notable event and they are running it on the correct artifact. Here are two tips for doing just that: Decision Block At the beginning of …

Continue reading “Splunk Phantom Tips: ES Notable Playbook Validation”

This is an issue I ran into recently. I wanted to assign a task to the user who ran a playbook, but that was easier said than done. The first step is to get the effective_user_id of the playbook. We can do this by creating a custom code block, so that we can pass around …

Continue reading “Splunk Phantom Tips: How to Get the Username of the User Who Ran a Playbook in That Playbook”