Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Running Phantom playbook separately for each artifact

dewu94
Explorer
‎01-12-2021 08:41 AM

I've noticed that it's possible to run a playbook in scope of one single artifact using Playbook Debuger. Is there any way to make playbooks behave like this in normal usage also?

To better describe what I mean let me use simplified example - let's say that I have a playbook that gathers names of the artifacts via 'format' block. Later on, text from this format block is used as a query in another block. So if there are 3 artifacts in this container, output from format block looks like this: "name1, name2, name3". And what I want to do is to get the first name, pass it to the next blocks until the whole process is finished and then come back to the start of this playbook, get the second name and so on.

My playbook is working properly for single artifacts, but it fails while running on whole events, as my queries are not working with multiple arguments being passed. Is there any workaround for this?

*UPDATE*

According to Customize the format of your Splunk Phantom playbook content - Splunk Documentation I tried the option to include '%%' to the format block, but it did not change much. Still the next block is using whole format block output at once.

Labels (1)
Labels
Tags (2)
Reply

phanTom
SplunkTrust
SplunkTrust
‎02-01-2021 05:20 AM

@dewu94 This is due to the way the CF interprets the output and after some investigation if you set the input on the function to item and pass in the formatted_data.* output from the format block, the function will be called separately against each item in the list. If you need all the entries at the same time,  then you can set the input to a list and pass in the formatted_data BUT then you have to parse the result to retrieve each JSON as they come through as a string.

I sent you some items on the Phantom Community Channel.

Reply

stauff
Explorer
‎01-29-2021 09:30 AM

I'm new to Phantom, and would be really interested if anyone has a better answer to this question, but I'll provide what I've been doing to solve this issue.

Rather than using a format block, I would create a custom function with an input and an output.  Within the custom function, you can format your data however you'd like, and then use that formatted data as the output of the function.  The functions input would be something like "*.name", and the output would be something like "formatted data".  There are some good examples of custom functions in the community repo if you've never used custom functions before, they may help you understand how to create one that works for your need.

Another alternative is to pass in the list of names to the action where you want to use that list of names.  So, your input to that action would be something like "artifact:*.name".  Then, you can manually edit the code within that action's function.  You'll see the default code for the action looping over the name list and you can tweak as needed.  Please note, if you go this route, the visual playbook editor will no longer maintain that action's code for you, which basically means you'll need to ensure the "callback" is correct if you make future changes to the playbook.

Reply

phanTom
SplunkTrust
SplunkTrust
‎02-01-2021 01:28 AM

@stauff I am not 100% sure what the question was but I will try and answer based on what I think you are trying to achieve.

It seems like you want to know a way to get the action block to iterate through a list you build yourself in a Custom Function?

If you create a Legacy Custom Function, have as many inputs as you like, manipulate any way you want and then output the data as a list object, then rather than edit the action block code (as you referred to the VPE loss), you can put the output datapath from the Custom Function into a format block with the below:
%%
{0}
%%
( 0 = custom_function ouput datapath)

Then in the action block use the formatted_data.* output from the format block and you will see the code loops through as it expects a list object from the format block. 

Hope this helped, if not please explain a bit more about what you are trying to do. 
Thanks,
Tom

Reply

dewu94
Explorer
‎02-01-2021 04:14 AM

This topic is quite old and in the meantime I figured out the same approach as suggested by stauff, but after migration from 4.8 to 4.10 this approach is no longer working for me. 

I have a format block configured as follows:

%%
{{"{0}":"{1}"}}
%%


and the issue is that custom function which should get the data from format block as a list of JSON-like values is not working properly. In the logs I can see that it the function is called with following parameter 

'formatted_data': ['{']

Why it's taking only first character instead of the whole content of format block? On version 4.8 it was working fine. Format block is working properly, because I put it to a prompt and I can see that it gives the values as expected. The issue must be in the way how new custom functions in 4.10 are processing the input. It does not matter if I choose 'item' or 'list' input type. For list it's ['{'] and for item it's '{'

0 Karma
Reply

sam_splunk
Splunk Employee
Splunk Employee
‎02-01-2021 09:46 AM

Can you walk through which all components are being used? For example are we talking about custom functions or legacy custom functions? If you can provide enough info for me to duplicate the environment, I can chase down the problem.

 

0 Karma
Reply

dewu94
Explorer
‎02-02-2021 12:30 AM

We are talking about new custom functions. After the migration my playbook stopped working (no errors, it just freezed every time after calling one of the functions), so I decided that maybe converting my legacy functions to the new format will fix the issue.

The scenario is following:

  • LDAP > get user attributes block is used to gather the data about account status
  • Format block is taking 2 values from previous block: get_user_attributes_1:action_result.parameter.username and get_user_attributes_1:action_result.data.*.useraccountcontrol. It's configured this way:

 

%%
{{"{0}":"{1}"}}
%%​

 

  • Custom function is taking this as a list (format_1:formatted_data.*). In 4.8 it was working fine and results were as expected. In 4.10 it's taking this input sign by sign, not the whole JSON at a time. So in first iteration it takes '{' or '[{]' depending if input type is set to item or a list.

In the meantime I will try the ways suggested by @phanTom , but in general I guess it should not work this way?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...