Press "Enter" to skip to content

Splunk Phantom Tips: How to Get the Username of the User Who Ran a Playbook in That Playbook

This is an issue I ran into recently. I wanted to assign a task to the user who ran a playbook, but that was easier said than done. The first step is to get the effective_user_id of the playbook. We can do this by creating a custom code block, so that we can pass around the user id later in the playbook. The custom code block doesn’t need any input parameters and should have an output parameter of effective_user_id.

Code-wise, you really only need two lines. First, we make a call to phantom.get_playbook_info() (docs). This returns “a list containing a single dictionary” that looks something like this:

The item we’re interested in is effective_user_id so our second line of code is grabbing that and assigning it to the output variable we named in the custom code config. The finished product looks like this:

Now, we have the used id of the user who ran the playbook. This will work for things like setting the owner of a container, which can take the user id, but there are other actions, like assigning a task, that take a username as a parameter. Getting the username from a user id is a bit of a process, but it’s not too complicated. It takes three steps:

  • Format the REST API endpoint
  • Call the REST API endpoint
  • Modify the Task block to use the data from the REST API

First, we use a format block to create the REST API endpoint we’ll be calling. The template will be /ph_user/{0} and the value we’ll use to fill the template is our effective_user_id value that we get from the custom code block. It’ll end up looking like this:

Next we’ll feed this into an HTTP get data action block. This will require that you’ve created an HTTP asset that is pointed at your phantom instance. The config for this block will just be the location which is what we’ve created in our format block.

Now that we’ve done that, we can modify the task block (or whatever other block you’re using) to get the username from the HTTP block. This will require some custom code, but nothing too fancy.

Again, we’ll need only two lines of code to get the username. One to get the username data from the HTTP action results and another to parse it out of the returned list. It’ll end up looking something like this:

Be aware that your function names (get_data2, format_1, custom_function_1, etc.) may be different than what I have based on where this is happening in your playbook.

You now have a task that is assigned to the user that ran the playbook. This can be useful for getting feedback from an analyst during the playbook run or handling an action that can’t be automated for whatever reason.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.