Solved: Call API to get results from prompt?

nhammSplunk · ‎05-01-2020

In a custom code block given the following psuedo code:

def promptIpToBlock(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):    
    phantom.debug('promptIpToBlock() called')

    # set user and message variables for phantom.prompt call
    user = phantom.get_run_data("logged_in_user")
    message = """Enter IP/CIDR addresses to be blocked"""

    #responses:
    response_types = [
        {
            "prompt": "",
            "options": {
                "type": "message",
            },
        },
    ]

    phantom.prompt2(container=container, user=user, message=message, respond_in_mins=5, name="prompt_ip_to_block", response_types=response_types, callback=checkIpAgainstWhitelist)

return

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    myVar = phantom.get_run_data(key='prompt_ip_to_block')
    phantom.debug("myVar: {}".format(myVar))

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["(phantom.valid_ip(promptIpToBlock:action_result.summary.responses.0) or phantom.valid_net(promptIpToBlock:action_result.summary.responses.0))", "==", "true"],
        ])

    # call connected blocks for 'else' condition 4
    join_formatBlockParamteres(action=action, success=success, container=container, results=results, handle=handle)

return

'myVar' doesn't show up in checkIPAgainstWhitelist(). Am I using the correct API call to get the data from promptIpToBlock()?

nhammSplunk · ‎05-04-2020

Here's the answer, use 'results'.

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('checkIpAgainstWhitelist() called')

    myUserResponse = results[0]['action_results'][0]['message']

return

View solution in original post

iqbalhonnur · ‎09-19-2022

Hello there, I am new to splunk - I tried the above solution - but the issue is the call back function is getting executed before user enters the input in prompt, which is resulting in results being a NoneType datatype - can someone help me out on this,

nhammSplunk · ‎05-04-2020

Here's the answer, use 'results'.

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('checkIpAgainstWhitelist() called')

    myUserResponse = results[0]['action_results'][0]['message']

return

phantom_mhike · ‎05-01-2020

Im not completely certain I follow the question. It seems you executed a prompt2 within the context of a custom function?

If that is the case, you can still access the data you need as long as you specified a name and a callback for the prompt2. If you didnt specify a name then you will have a hard time manually specifying the action results. If you dont define a callback then the playbook wont wait for the prompt to be addressed and your results will always be null. The VPE doesnt know to look for the action results from custom functions like that so you will have to specify them manually:

nhammSplunk · ‎05-04-2020

I've updated the code and question. This should add clarification.

Call API to get results from prompt?

using SOAR ⁄ Phantom

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM