Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting results of phantom.act() within custom code block?

cmg
Explorer
‎03-19-2024 08:46 AM

I'm trying to get at the results of a phantom.act() action run, more specifically the Splunk HTTP app  "get file" action.

Something as simple as:

 

 

 

# inside a custom code block

def get_action_results(**kwargs):
    phantom.debug(action)
    phantom.debug(success)
    phantom.debug(results)
    phantom.debug(handle)
    return

phantom.act('get file', parameters=[{'hostname': '', 'file_path': '/path/to/file'}], assets=["web_server"], callback=get_action_results)

 

 

 

 

The action will run as expected, however the callback isn't getting the results output. Am I misunderstanding callbacks in this scenario?

Labels (2)
Labels
0 Karma
Reply

SOARt_of_Lost
Path Finder
‎03-26-2024 08:58 AM

I'm not familiar with the HTTP app so can't speak directly to this specific example, but I can answer your question at the end: Yes you are.

The way callback works is it looks for another playbook block by that name, not a function defined within the same block. So what you can do is use the standard HTTP action block and move get_action_results to its own playbook block. SOAR will understand that you want to input the values from the action calling the callback.

Looking at your reply on the other thread, something that may be helpful would be writing a loop to separate each URL and run through the process one by one. It's slower and more resource intensive, but that way you don't need to worry about keeping track of multiple results at once.

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎03-19-2024 09:43 AM

@cmg I do have to ask why you are doing it this way? The app framework removes all of this necessity 😄 

 

As my old mentor said "Use the platform Luke...erm Tom" 😄 

Why not just use the HTTP action and then select the data returned by using the relevant datapath downstream. The HTTP app doesn't show you all the returned fields in the playbook datapaths as the dev couldn't know all returned so stopped at "response_body" or "parsed_response_body". You have to write the path to the returned data yourself.  

Best way is to run the action, select it in the activity pane of the container, find the value you want in the JSON presented and click on the key in the window. There should be a datapath -type thing at the top. 0 = * and > = . in the datapath you put in the playbook. 

-- Hope this helped! If it solved your issue please mark as a solution for future questions on the same thing. Happy SOARing! --

0 Karma
Reply

cmg
Explorer
‎03-19-2024 12:30 PM

Normally I would, however I am running into an issue where:

1. I am querying a file attachment from ServiceNow that returns download URL(s) (can be an arbitrary number of URLs) presented by the API.
2. The URL(s) contain the file sys_id, e.g. "/api/now/1111111122222233333/file", and do not offer a way to download as the file name, requiring it to be renamed once in the container vault. 
3. The HTTP app downloads the URL(s) as the generic file name "file" in a container vault and creates a vault_id.
4. I need to rename that file to the correct file name (from the ServiceNow data), using a bit of vault_add() magic.

Step 4 is where I lose the ability to reliably associate the original file name (via the Service Now sys_id) with the vault_id when passing multiple URLs. I don't see an easy or reliable way to capture the original file name and associate it with the correct vault_id.

The attempted work-around thought is using phantom.act() in this manner where I can control the loop and guarantee the correct vault_id.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...