Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting error when trying to check if IP is local and make two separate queries to the CrowdStrike app.

Izzet
New Member
‎08-12-2020 02:15 AM

Hi everyone,

It might me a silly question 🙂

The simplified case.

3 artifacts within the event with 3 different IP addresses:

  • 192.168.0.1
  • 192.168.0.2
  • 8.8.8.8

I'm trying to check if IP is local and make separate queries to the crowdstrike (it could be any other app).

Izzet_0-1597220609886.png

 

Each query should use filter parameter local_ip:"{0}", so I'm using a Format gadget.

Izzet_1-1597220920004.png

 
 
 

I'm getting  a error during the execution because "Format" function returns joined value: local_ip:"192.168.0.1, 192.168.0.2".  And then it launches crowdstrike app just ones with this filter. But it should be 2 different request with a separate IP address in each one.

I tried to use as a filter parameter for the crowdstrike app:

  • "format_2:formatted_data.*" - returns None
  • "format_2:formatted_data" - returns "192.168.0.1, 192.168.0.2" as one string

So, how to make 2 different requests here?

Thanks.

Labels (1)
Labels
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎09-16-2020 02:30 AM

@Izzet if you use the format block's list interpretation (https://docs.splunk.com/Documentation/Phantom/4.9/PlaybookAPI/PlaybookAPI#format) then you can use the .* output. 
In your format block you should put:

%%
local_ip:{0}
%%


Then when you use the .* output the action block knows it's getting a list and will create the relevant for loop to iterate though each one. 

As a side note, did you know the filter/decisions are CIDR aware? So you can use them to determine if they are in a known CIDR range (internal/RFC1918) or not without a custom function 😄 

For example you can put the IP (single or list) into the top field in a filter/decision condition, then use 'is in' then put the CIDR range in the final condition field, see below:

<IP_VALUE>
is in
192.168.0.0/16



If this helped please drop a like below!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...