Run an action in Splunk SOAR (On-premises)
Analysts can use the /action command to quickly run one of the actions Splunk SOAR (On-premises) supports.
Actions run with /action are the same actions that are found in the Run Action dialog box, but the names of the actions are formatted with underscores ( _ ) instead of spaces. For example, the action geolocate ip becomes geolocate_ip.
The Run Action dialog box guides you through selecting the information an action requires. Using the command line interface requires you to provide the same information as arguments to the /action command.
When you type /action in the comment field of the activity sidebar, a tooltip-style dialog appears to guide you through adding arguments, or you can use the --help argument to get a message with help information as shown here:
/action geolocate_ip "MaxMind" --helpPhBot returns the following help message:
usage: /action geolocate_ip [app] <required arguments> [--asset asset...]
[--optional arguments]
Queries MaxMind for IP location info
required arguments:
ip IP to geolocate
The command-line interpreter validates arguments with the /action command. Incorrect arguments generate an error message to help you fix the arguments as shown in the following example:
/action whois_domain "WHOIS" splunk.comThe following error message is returned for the example:
/action whois_ip "WHOIS" a.b.not_an_ipUse a list with the /action command
You can perform actions on lists of items by passing the list as an argument as shown in the following example:
/action geolocate_ip "MaxMind" ["1.1.1.1", "2.2.2.2"]Lists must be presented in valid Python syntax, so individual items must be in quotation marks ( " ).
/action command multiple lists or datapaths, or a mix of lists and datapaths, results in a product. For example, [1, 2] [3, 4] results in four action runs: (1, 3), (1, 4), (2, 3), and (2, 4).