Skip to main content
Lantern Home
 
 
Splunk Lantern

Passing data between SOAR playbooks

  1. Last updated
  2. Save as PDF

 

Your Splunk SOAR playbooks are too complex to manage and use efficiently. You have decided to modularize them to reduce complexity. This means you need to leverage the ability of playbooks to call other playbooks to maintain all the functionality you've built. 

Solution 

To pass data between playbooks, you can use any of the following:

  • An input playbook that returns its results through the outputs of its end block.
  • The artifact of a container or data field of a container. Useful when multiple playbooks all work on one container.
  • A file in vault or in local file system. Delete the file after using it. Clusters replicate vault files but not local files.
  • Object storage using the save_object and get_object methods.
  • Custom lists. Useful for global cross-playbook data storage.
  • Playbook context using the save_run_dataand get_run_data methods.

This remainder of this article explains some best uses and limitations for two of these solutions using the Data management automation API

save_run_data / get_run_data

These API methods let you save and retrieve data to and from the playbook context.

  • The data is not visible in the UI.
  • By default the data is deleted when the playbook completes. Pass >auto=False to persist the data until the playbook context ceases to exist.
  • The data can be retrieved by running any playbook that has been started from the playbook that saved the data in its context.
  • The value parameter expects a JSON string. Use the json.dumps method.
  • These methods are not supported in custom functions.
phantom.save_run_data(key=None, value=None, auto=True)

phantom.get_run_data(key=None)

For more information, see the Data management automation API section of the Python Playbook API Reference for Splunk SOAR manual.

save_object / get_object

These API methods let you save and retrieve data to and from the SOAR database. 

  • By default the data is persisted until you use the clear_object method to delete it. Pass auto_delete=True to have the data automatically deleted when the container is closed.
  • Any other playbook can call get_object to retrieve the data.
  • These methods are not supported in custom functions.
  • The value parameter expects a Python dictionary object.
phantom.save_object(key=None, value=None, container_id=None,
                    auto_delete=False, playbook_name=None,
                    repo_name=None)

For more information, see the Data management automation API section of the Python Playbook API Reference for Splunk SOAR manual.

Next steps

If you found this article useful and want to learn about the other methods of passing data or practice using the Python Playbook APIs, Splunk Education offers a 13.5-hour, instructor-led course on advanced Splunk SOAR implementation. The hands-on labs in the course will teach you how to:

  • implement Splunk SOAR solutions
  • configure external Splunk searches
  • integrate Splunk SOAR into the Splunk platform
  • access the Splunk platform from Splunk SOAR
  • create custom code
  • use the Splunk SOAR REST API

Click here for the course catalog where you can read the details about this and other Splunk SOAR courses, as well as register.