Tutorial: Specify assets in Splunk SOAR (On-premises)
This tutorial demonstrates how to run more complex actions within a playbook. In this example, you want to run actions on a specific asset. You can either specify the asset by its ID, or specify a tag to include all assets associated with that tag.
Specify assets by ID
To execute actions on specific assets, pass a list of asset IDs to the act() call.
import phantom.rules as phantom
import json
def list_vms_cb(action, success, container, results, handle):
if not success:
return
return
def on_start(incident):
phantom.act('list vms', assets=["vmwarevsphere"], callback=list_vms_cb)
return
The function generates the following result when run in the playbook debugger:
2015-03-14T21:12:41.365000: Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a]
2015-03-14T21:12:41.369000: act(): Action 'list vms' shall be executed on assets: vmwarevsphere
2015-03-14T21:12:41.370000: act(): action details: [list vms] parameters: [[]] assets: [vmwarevsphere] callback function: [list_vms_cb] and NO user specified for reviewing params
2015-03-14T21:12:41.385000: act(): No action parameter review or asset approval requests generated.
2015-03-14T21:12:41.387000: Starting action 'list vms' on asset '28f81303-5982-451b-a833-1acdd191a763'
2015-03-14T21:12:41.410000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:12:42.130000: running: Loaded action execution configuration
2015-03-14T21:12:42.135000: running: Connecting to 10.10.0.40...
2015-03-14T21:13:08.769000: success: 1 of 1 action succeeded
2015-03-14T21:13:08.879000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:13:08.882000: calling action callback function: list_vms_cb
*** The Rule has completed. Result: success ***
Specify assets by tag
You can also pass a tag to the act() function. The action runs on all assets with that tag.
import phantom.rules as phantom
import json
def list_vms_cb(action, success, container, results, handle):
if not success:
return
return
def on_start(incident):
phantom.act('list vms', tags=["virtual"], callback=list_vms_cb)
return
By using a tag, the list vms action runs on all assets tagged as virtual.
2015-03-14T21:21:52.723000: Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a]
2015-03-14T21:21:52.737000: act(): Warning: For action 'list vms' no assets were specified. The action shall execute on all matching assets
2015-03-14T21:21:52.760000: act(): Action 'list vms' shall be executed on assets: vmwarevsphere, vmwarevsphere2
2015-03-14T21:21:52.760000: act(): action details: [list vms] parameters: [[]] assets: [vmwarevsphere, vmwarevsphere2] callback function: [list_vms_cb] and NO user specified for reviewing params
2015-03-14T21:21:52.780000: act(): No action parameter review or asset approval requests generated.
2015-03-14T21:21:52.794000: Starting action 'list vms' on asset '28f81303-5982-451b-a833-1acdd191a763'
2015-03-14T21:21:52.828000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:21:52.833000: Starting action 'list vms' on asset '5a776fff-37d7-4a34-a299-21354dff8c45'
2015-03-14T21:21:52.863000: running: The connector 'vSphere App' started successfully. Execution parameters sent.
2015-03-14T21:21:54.883000: running: Loaded action execution configuration
2015-03-14T21:21:54.890000: running: Connecting to 10.10.0.40...
2015-03-14T21:21:54.906000: running: Loaded action execution configuration
2015-03-14T21:21:54.912000: running: Connecting to 10.10.0.70...
2015-03-14T21:22:04.967000: success: 1 of 1 action succeeded
2015-03-14T21:22:05.097000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:22:20.325000: success: 1 of 1 action succeeded
2015-03-14T21:22:20.446000: Command 'list vms' success. 1 of 1 action succeeded
2015-03-14T21:22:20.451000: calling action callback function: list_vms_cb
*** The Rule has completed. Result: success ***