Phantom playbooks are Python scripts built to run on top of the playbook API platform. However, new artifacts can continue to be added to the container and users can still run actions or playbooks on them manually.
Playbooks don't automatically run if a container is in the closed state.
For example, list vms is a read-only action, whereas block ip, which could result in changes to the state of the asset, isn't.Īctive playbooks run in real-time as new containers are imported into the system or existing open containers are updated with new artifacts. A user can also run any playbook manually. See Understanding containers in the Python Playbook API Reference for Splunk Phantom for more information on containers.Įxecute automatically when a new artifacts is added to an unresolved container. All playbooks are independent of each other and can act on all containers. For example, if the imported data has a label of incident, the playbook is expected to run on an incident. Configure playbooks to act on containers with a specific label. As new data enters the system, enabled playbooks run on new containers in a specified order. Playbooks are Python scripts that execute various actions in response to an incident. These strategies might range from generic information mining tasks to actively mitigating the impact of an ongoing incident.
Playbooks help security operations teams develop and deploy precise automation strategies. Python Playbook Tutorial for Splunk Phantom overview
0 kommentar(er)
