Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you achieve "for" loops?

rivaanb
Engager
‎10-04-2022 08:16 AM

Hi,

We've been trying to use "for loop" logic within playbook app actions. Although, there seems to be no way to achieve this out of the box.

Example, we use the action "get file" - this action only accepts one machine id at a time . We want to get multiple files via this action (for each item, send to "get file"), therafter send each file through a sub playbook and then return all outputs to a prompt in the main playbook with enrichment.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎10-04-2022 08:25 AM

@rivaanb 
SOAR already uses loops to build parameter lists to pass into actions. Once you understand how the platform passed information into and out of actions it's not too bad 😄 

It depends where you are getting the id's but, if you can build a list of id's to pass into 'get_file' in a Code Block, output them as a python list, then pass into a format block:
%%
{0}
%%

0 = your python list of id's

Then in the 'get_file' action use the '...formatted_data.*' output from the format block, you will see SOAR create a for loop and loop through each value, add it to a parameters list then call the action. 

I suspect the get_file will then just provide a vaultId for the file(s) it got. If so then you just need to pass those vaultId values to your input-playbook. 

The prompt is tricker and IMO If there is a lot of enrichment data I usually add note(s) to a task and then provide a "determination playbook" for the user to run once they have read and understood the note(s). This stops the automation hanging waiting for a prompt response and makes the system more efficient from my exp.

Happy SOARing - If this helped please mark as a solution or feel free to ask more questions. 

View solution in original post

Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎10-04-2022 08:25 AM

@rivaanb 
SOAR already uses loops to build parameter lists to pass into actions. Once you understand how the platform passed information into and out of actions it's not too bad 😄 

It depends where you are getting the id's but, if you can build a list of id's to pass into 'get_file' in a Code Block, output them as a python list, then pass into a format block:
%%
{0}
%%

0 = your python list of id's

Then in the 'get_file' action use the '...formatted_data.*' output from the format block, you will see SOAR create a for loop and loop through each value, add it to a parameters list then call the action. 

I suspect the get_file will then just provide a vaultId for the file(s) it got. If so then you just need to pass those vaultId values to your input-playbook. 

The prompt is tricker and IMO If there is a lot of enrichment data I usually add note(s) to a task and then provide a "determination playbook" for the user to run once they have read and understood the note(s). This stops the automation hanging waiting for a prompt response and makes the system more efficient from my exp.

Happy SOARing - If this helped please mark as a solution or feel free to ask more questions. 

Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...