Re: How to get the results of a playbook to show u...

Ragamonster · ‎10-02-2023

Hello, I've been tasked with having the results of a playbook show up as a note in a different phase.

Any instruction or ideas welcome.

Thanks so much.

phanTom · ‎10-20-2023

@Ragamonster you will need to use REST to find the task you want to add the note to and then POST the note to that task.

https://docs.splunk.com/Documentation/SOARonprem/6.1.1/PlatformAPI/RESTNotes

Specifically look at the below:

You can do this using the HTTP app but I prefer using the sessions API as it's pre-authenticated and gives you a lot more control: https://docs.splunk.com/Documentation/SOARonprem/6.1.1/PlaybookAPI/SessionAPI

-- Hope this helps. If so please mark as a solution for future readers. Happy SOARing! --

SOARt_of_Lost · ‎10-19-2023

What sorts of results are you trying to post as a note? You can plug just about anything you want into a utility block calling the add note function. You can insert a format block just before the note block and use its formatted_data (not formatted_data.*) output to make it look nicer or combine info from different sources.

How to get the results of a playbook to show up as a note in a different phase?

using SOAR ⁄ Phantom

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!