Splunk SOAR (f.k.a. Phantom)

How to reference a specific artifact in Phantom Playbook Visual Editor

zyun
Explorer

Hello, I'm looking to reference a specific artifact from the Phantom Playbook Visual Editor.

For example, a Phantom: Update Artifact block takes two parameters: artifact_id and cef_json. The list of default datapaths for artifact_id all follow the format of artifact:*.<field>, where the wildcard causes the update to occur on ALL artifacts. I would instead like to reference the first artifact in the container, so that only the first artifact is updated.

Is there a way to construct the datapath to accomplish this?

 

The current workaround I have for this is to use a Custom Function to output the first artifact object of the container, but this only creates a snapshot of the artifact object at the time the function is called; If I update the artifact after calling the function, I'll need to call the function again to get the updated artifact object values.

The closest thing I've seen to this is the phantom.collect() API call, in which you can specify a datapath with a specific label (ie. phantom.collect(container, "artifact:uniqueLabel")), where you can specify a label and only the artifacts with the given label is returned, but this same syntax does not work in the Playbook Visual Editor.

0 Karma

lindonmorris
Explorer

I don't know if this works for artifacts, but you can reference a list index in the data path.

Using the function "string_split" 

string_split:custom_function_result.data.*.item < All items

string_split:custom_function_result.data.0.item < Item 0

0 Karma

Dave_Burns
Path Finder

I've not come across a solution other than that what WalshyB suggested either. I get why you'd want to do [0] (I've needed the same ability) but I've not see a guarantee anywhere of list order either. 

0 Karma

mkz
Explorer

For future readers and yourself, the solution I found to this was to use the filter block to obtain a reference to the artifact you need.

For example, in my case I needed a reference to the first artifact in a container, so I made the first artifact always have the label 'main'. Then with a filter node, I do a condition for artifact:*.label == main. Then, in any downstream blocks, you can reference the output of the filter block (which in my case will be any artifact with the label main).

WalshyB
SplunkTrust
SplunkTrust

if its still required,

you could do a filter that would match all artifacts, i.e. id != "" and add code to the phantom.condition() function with limit=1 added into the parameters.

matched_artifacts_1, matched_results_1 = phantom.condition(
container=container,
conditions=[
["artifact:id", "!=", ""],
],
name="filter_first_artifact:condition_1",limit=1)

This should give you the first artifact in that container (first created). You can then use that filtered datapath to update only that artifact.

0 Karma

mkz
Explorer

This does work, but is there a way to do this without having to add custom code to each node we want to apply this to? 

The ideal solution would be being able to specify a datapath like this: artifact:[0].cef.username, where [0] indicates the first artifact within the container.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...