Splunk SOAR (f.k.a. Phantom)

List of dicts from a "custom code block" into a "filter block"

glc_slash_it
Path Finder

Hello

I'm trying to pass a list of dicts from a "custom code block" into a "filter block", to run either ip_lookup, hash_lookup, or both sub-playbooks based on the indicator type.

For example:
ioc_list =

[
    {
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
    },
    {
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
       
    }
]
 
And then on filter I have:
if get_indicators:custom_function:ioc_list.*.type == ip
    run -> ip_lookup sub-playbook
if get_indicators:custom_function:ioc_list.*.type == hash
    run -> hash_lookup sub-playbook
 
 
And it looks like the filter does half of the job, because it can route to the proper sub-playbook(s), but instead of forwarding only the elements that match the conditions, it simply forwards all elements.
 
 

Expected output:

filtered-data on condition_1 route

[ {
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
}]

 

filtered-data on condition_2 route: 

[{
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
       
}]
 
Actual output on both condition routes:
[{
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
    },
    {
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
}]
 
 
Even though this seems a specific question, is also part of a broad miss-understanding of how custom code blocks and filter interact with each other.
 
Hope some one can enlighten me in the correct path.
Thanks
 
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@glc_slash_it custom functions don't pass out information in the same way an action would via action_results. You can't filter on CF outputs in the same way unfortunately. 

Either;

1. Do the filtering in the CF and pass out only what you need.
2. Use another Code Block to do the additional understanding and pass out a list.
3. Convert your function to an app action to take advantage of the action_results capability then you can split them with filters/decisions.

 

-- I Hope this helped, if so please mark as a solution for others asking the same question! Happy SOARing! --

View solution in original post

glc_slash_it
Path Finder

Hi @phanTom  thanks for the suggestions, they help!

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@glc_slash_it custom functions don't pass out information in the same way an action would via action_results. You can't filter on CF outputs in the same way unfortunately. 

Either;

1. Do the filtering in the CF and pass out only what you need.
2. Use another Code Block to do the additional understanding and pass out a list.
3. Convert your function to an app action to take advantage of the action_results capability then you can split them with filters/decisions.

 

-- I Hope this helped, if so please mark as a solution for others asking the same question! Happy SOARing! --

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...