Splunk Phantom

call API to get results from prompt?

nhammSplunk
Explorer

In a custom code block given the following psuedo code:

def promptIpToBlock(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):    
    phantom.debug('promptIpToBlock() called')

    # set user and message variables for phantom.prompt call
    user = phantom.get_run_data("logged_in_user")
    message = """Enter IP/CIDR addresses to be blocked"""

    #responses:
    response_types = [
        {
            "prompt": "",
            "options": {
                "type": "message",
            },
        },
    ]

    phantom.prompt2(container=container, user=user, message=message, respond_in_mins=5, name="prompt_ip_to_block", response_types=response_types, callback=checkIpAgainstWhitelist)

return

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    myVar = phantom.get_run_data(key='prompt_ip_to_block')
    phantom.debug("myVar: {}".format(myVar))

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["(phantom.valid_ip(promptIpToBlock:action_result.summary.responses.0) or phantom.valid_net(promptIpToBlock:action_result.summary.responses.0))", "==", "true"],
        ])

    # call connected blocks for 'else' condition 4
    join_formatBlockParamteres(action=action, success=success, container=container, results=results, handle=handle)

return

'myVar' doesn't show up in checkIPAgainstWhitelist(). Am I using the correct API call to get the data from promptIpToBlock()?

Labels (1)
Tags (1)
0 Karma
1 Solution

nhammSplunk
Explorer

Here's the answer, use 'results'.

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('checkIpAgainstWhitelist() called')

    myUserResponse = results[0]['action_results'][0]['message']

return

View solution in original post

0 Karma

nhammSplunk
Explorer

Here's the answer, use 'results'.

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('checkIpAgainstWhitelist() called')

    myUserResponse = results[0]['action_results'][0]['message']

return

View solution in original post

0 Karma

phantom_mhike
Path Finder

Im not completely certain I follow the question. It seems you executed a prompt2 within the context of a custom function?

If that is the case, you can still access the data you need as long as you specified a name and a callback for the prompt2. If you didnt specify a name then you will have a hard time manually specifying the action results. If you dont define a callback then the playbook wont wait for the prompt to be addressed and your results will always be null. The VPE doesnt know to look for the action results from custom functions like that so you will have to specify them manually:

nhammSplunk
Explorer

I've updated the code and question. This should add clarification.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!