[ID-2044] Splunk SOAR: implement configure_scheduled_playbooks action

README.md

@@ -90,6 +90,7 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
 [lookup domain](#action-lookup-domain) - Get all Iris Investigate data for a domain using the Iris Investigate API endpoint (required)  
 [enrich domain](#action-enrich-domain) - Get all Iris Investigate data for a domain except counts using the high volume Iris Enrich API endpoint (if provisioned)  
 [on poll](#action-on-poll) - Execute scheduled playbooks based on the set interval(mins) in 'domaintools_scheduled_playbooks' custom list. Smaller intervals will result in more accurate schedules  
+[configure scheduled playbooks](#action-configure-scheduled-playbooks) - Run on initial setup to configure the optional monitoring playbooks. This action creates a custom list to manage the playbook scheduling and run status.  
 
 ## action: 'test connectivity'
 Validate the asset configuration for connectivity
@@ -600,5 +601,17 @@ Read only: **True**
 #### Action Parameters
 No parameters are required for this action
 
+#### Action Output
+No Output  
+
+## action: 'configure scheduled playbooks'
+Run on initial setup to configure the optional monitoring playbooks. This action creates a custom list to manage the playbook scheduling and run status.
+
+Type: **generic**  
+Read only: **True**
+
+#### Action Parameters
+No parameters are required for this action
+
 #### Action Output
 No Output

domaintools_iris.json

@@ -101,7 +101,7 @@
             "description": "Splunk SOAR HTTPS port (default: 8443)",
             "data_type": "string",
             "default": "8443",
-            "order": 12
+            "order": 11
         }
     },
     "actions": [
@@ -2062,6 +2062,16 @@
             "parameters": {},
             "output": [],
             "versions": "EQ(*)"
+        },
+        {
+            "action": "configure scheduled playbooks",
+            "description": "Run on initial setup to configure the optional monitoring playbooks. This action creates a custom list to manage the playbook scheduling and run status.",
+            "type": "generic",
+            "identifier": "configure_scheduled_playbooks",
+            "read_only": true,
+            "parameters": {},
+            "output": [],
+            "versions": "EQ(*)"
         }
     ],
     "pip39_dependencies": {

domaintools_iris_connector.py

@@ -31,6 +31,7 @@ class DomainToolsConnector(BaseConnector):
     ACTION_ID_REVERSE_DOMAIN = "reverse_lookup_domain"
     ACTION_ID_LOAD_HASH = "load_hash"
     ACTION_ID_ON_POLL = "on_poll"
+    ACTION_ID_CONFIGURE_SCHEDULED_PLAYBOOK = "configure_scheduled_playbooks"
 
     def __init__(self):
         # Call the BaseConnectors init first
@@ -350,7 +351,9 @@ def handle_action(self, param):
         elif action_id == self.ACTION_ID_LOAD_HASH:
             ret_val = self._load_hash(param)
         elif action_id == self.ACTION_ID_ON_POLL:
-            ret_val == self._on_poll(param)
+            ret_val = self._on_poll(param)
+        elif action_id == self.ACTION_ID_CONFIGURE_SCHEDULED_PLAYBOOK:
+            ret_val = self._configure_scheduled_playbooks(param)
 
         return ret_val
 
@@ -710,6 +713,34 @@ def _run_playbook(self, data: str):
 
         return False
 
+    def _create_scheduled_playbook_list(self):
+        self.debug_print(
+            f"Creating scheduled playbook list: {self._scheduled_playbooks_list_name}"
+        )
+        request_body = {
+            "content": [
+                [
+                    "repo/playbook_name",
+                    "interval (mins)",
+                    "last_run (server time)",
+                    "last_run_status",
+                    "remarks",
+                ],
+                ["local/DomainTools Monitor Domain Risk Score", "1440", "", "", ""],
+            ],
+            "name": self._scheduled_playbooks_list_name,
+        }
+        response = phantom.requests.post(
+            f"{self._rest_url}decided_list/",
+            data=json.dumps(request_body),
+            verify=False,
+        )
+
+        json_response = response.json()
+        if json_response.get("id"):
+            return json_response, True
+        return json_response, False
+
     def _update_scheduled_playbook_list(self, contents):
         self.debug_print("Updating scheduled playbook list")
         response = phantom.requests.post(
@@ -817,6 +848,22 @@ def _on_poll(self, param):
             return action_result.set_status(phantom.APP_SUCCESS, "Completed.")
         return action_result.set_status(phantom.APP_ERROR, "Something went wrong.")
 
+    def _configure_scheduled_playbooks(self, param):
+        self.debug_print("configure_scheduled_playbooks action called")
+        action_result = self.add_action_result(ActionResult(dict(param)))
+
+        res, is_created = self._create_scheduled_playbook_list()
+
+        if is_created:
+            return action_result.set_status(
+                phantom.APP_SUCCESS,
+                f"{self._scheduled_playbooks_list_name} list is sucessfully created.",
+            )
+        return action_result.set_status(
+            phantom.APP_ERROR,
+            f"{self._scheduled_playbooks_list_name}-{res.get('message')}",
+        )
+
 
 if __name__ == "__main__":
     import argparse