Solved: How do I try an action several times?

ben_r · ‎10-12-2022

I have an action that I need a response from before the playbook can proceed, but the app is prone to occasionally time out or return an invalid result. To handle this, I want to try the action 3 times; if I still don't get a valid response, then the playbook should proceed with handling it as a failure and alert as such. I'm having trouble finding a good way to build the loop, though. It doesn't appear that there's a way to declare a variable (i.e. the loop counter) outside the action block, so I have no way to tell where I am in the loop. How can I declare a variable with global scope (or at least scope it outside the action block) in 5.2.1.78411? Alternately, is there a "retry this action n times if it fails" option that I can apply?

phanTom · ‎10-13-2022

@ben_r loops are not supported, yet, in playbooks but I would expect is on a roadmap somewhere as the community has been asking for a while! There is also no "retry n times on failure", but this could be written in to the app but you would need to let the app know how to determine the invalid response.

It depends on how you are determining a "valid response" but if you only need to try a max of 3 times, for now, and to keep your playbook "clean" from too much custom code, I would just have the action, followed by a decision 3 times. If the 1st action is "invalid response" in the decision block, call the 2nd action block and so on.

Loops can be done but you need to edit a lot of the code to make it work and it's not really best practise to do it like that.

View solution in original post

phanTom · ‎10-13-2022

@ben_r loops are not supported, yet, in playbooks but I would expect is on a roadmap somewhere as the community has been asking for a while! There is also no "retry n times on failure", but this could be written in to the app but you would need to let the app know how to determine the invalid response.

It depends on how you are determining a "valid response" but if you only need to try a max of 3 times, for now, and to keep your playbook "clean" from too much custom code, I would just have the action, followed by a decision 3 times. If the 1st action is "invalid response" in the decision block, call the 2nd action block and so on.

Loops can be done but you need to edit a lot of the code to make it work and it's not really best practise to do it like that.

ben_r · ‎10-13-2022

Thank you for the reply @phanTom ; I was hoping there might be a canned action for it but I guess there isn't. I did try declaring a counter variable in global scope in a custom code block at the top of the playbook and tried testing against it in a decision block right after the action, but while I can address it in the custom blocks with global, there doesn't seem to be a way to make it available to the decision block:

Oct 13, 09:06:20 : phantom.condition(): condition loop: condition 1, 'failed' '!=' 'success' => result:True

Oct 13, 09:06:20 : phantom.condition(): condition 2 to evaluate: LHS: global userDevicesLoop OPERATOR: < RHS: 3

Oct 13, 09:06:20 : phantom.condition(): condition loop: condition 2, 'userDevicesLoop' '<' '3.0' => result:False

(it's still 0 at that point, verified with a phantom.debug(str(userDevicesLoop)) in a section above that)

For only three tries, I guess I can just stack actions and decisions like you suggested. It'll look cluttered and be awkward to build, but I'm not seeing a good alternative either, if there's no way to declare a value that can be addressed through the whole playbook.

How do I try an action several times?

development

using SOAR ⁄ Phantom

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio