When using Splunk Phantom to process notable events from Splunk ES, a best practice is to validate that the playbook the analyst is running is the right one for that notable event and they are running it on the correct artifact. Here are two tips for doing just that:
At the beginning of your playbook, put a decision block that matches on the relevant field in the notable event. For example, if your playbook is for notables with the
search_name “My Search Name”, your decision block condition would be
artifact:*.cef.search_name == My Search Name. Off of the condition point would be the rest of your playbook, and you can also add an
else condition to send feedback to the analyst such as a comment or a prompt displaying the an error such as “Playbook canceled – Search name does not match”.
You can use a filter block to make sure the analyst is running the playbook only on the notable artifact. The condition in the filter block would look similar to the decision block condition, or could be as simple as checking that the
search_name field isn’t blank. The difference with the decision block is that now you use the filtered list of artifacts all throughout your playbook. For example, if you’re building a description for a ticket, instead of using the normal
artifact:*.cef.whatever you would select the filtered artifact list and it would look something like
filtered-data:filter_x:condition_1:artifact:*.cef.whatever. This avoids the issue where if there is more than one artifact, you get a list of values for the artifact fields such that
artifact:*.cef.search_name would be output as something like “My Search Name, None, None”.
Implementing either or both of these tips in your playbooks will dramatically reduce playbooks being run on the wrong notable events or artifacts. I’d love to hear any tips you’ve discovered or thoughts you have on this use case so feel free to leave a comment or hit me up in the Splunk Phantom community slack (@rplas).