Splunk SOAR (f.k.a. Phantom)

List of dicts from a "custom code block" into a "filter block"

glc_slash_it
Path Finder

Hello

I'm trying to pass a list of dicts from a "custom code block" into a "filter block", to run either ip_lookup, hash_lookup, or both sub-playbooks based on the indicator type.

For example:
ioc_list =

[
    {
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
    },
    {
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
       
    }
]
 
And then on filter I have:
if get_indicators:custom_function:ioc_list.*.type == ip
    run -> ip_lookup sub-playbook
if get_indicators:custom_function:ioc_list.*.type == hash
    run -> hash_lookup sub-playbook
 
 
And it looks like the filter does half of the job, because it can route to the proper sub-playbook(s), but instead of forwarding only the elements that match the conditions, it simply forwards all elements.
 
 

Expected output:

filtered-data on condition_1 route

[ {
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
}]

 

filtered-data on condition_2 route: 

[{
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
       
}]
 
Actual output on both condition routes:
[{
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
    },
    {
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
}]
 
 
Even though this seems a specific question, is also part of a broad miss-understanding of how custom code blocks and filter interact with each other.
 
Hope some one can enlighten me in the correct path.
Thanks
 
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@glc_slash_it custom functions don't pass out information in the same way an action would via action_results. You can't filter on CF outputs in the same way unfortunately. 

Either;

1. Do the filtering in the CF and pass out only what you need.
2. Use another Code Block to do the additional understanding and pass out a list.
3. Convert your function to an app action to take advantage of the action_results capability then you can split them with filters/decisions.

 

-- I Hope this helped, if so please mark as a solution for others asking the same question! Happy SOARing! --

View solution in original post

glc_slash_it
Path Finder

Hi @phanTom  thanks for the suggestions, they help!

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@glc_slash_it custom functions don't pass out information in the same way an action would via action_results. You can't filter on CF outputs in the same way unfortunately. 

Either;

1. Do the filtering in the CF and pass out only what you need.
2. Use another Code Block to do the additional understanding and pass out a list.
3. Convert your function to an app action to take advantage of the action_results capability then you can split them with filters/decisions.

 

-- I Hope this helped, if so please mark as a solution for others asking the same question! Happy SOARing! --

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...