How to set the run_automation flag as a parameter?

dennis_rhodes · ‎09-20-2019

Hey All, I have a Splunk search that sends 50 Splunk Events into 1 Phantom container with 50 artifacts (one for each Splunk Event). However, the playbook kicks off for each artifact created, is there a way to pass the run_automation flag as False when running my search?

ansusabu · ‎11-01-2019

You can give a custom python script in the Rest API app, which creates container in phantom. Here is the pseudo code:

  # Acquire some container/artifact data to post
  container = get_container()
  artifacts = get_artifact_list_for_container(container)

  # post your container
  do_post_container(container)
  # Set run_automation to false on all but the last one
  for artifact in artifacts[:-1]:
    artifact["run_automation"] = False
    do_post_artifact(artifact)
  do_post_artifact(artifacts[-1])

You can view this code at the last part of https://my.phantom.us/4.2/docs/rest/overview

WalshyB · ‎10-09-2019

From my understanding, this is not possible but it happens because when it needs to trigger a playbook, it spots a time difference between artifact 1's creation and e.g. artifact 5's so it causes another trigger.

If you use event forwarding, it will not separate them into multiple artifacts, like "send to phantom" does for multi-value fields. This would stop it running multiple times but would then need a custom function in a playbook to separate again with the run_automation flag set to false.

I would be interested in knowing a way around this if in the time this question has been up, you've found a solution 🙂

How to set the run_automation flag as a parameter?

troubleshooting

using Phantom

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM