Splunk SOAR (f.k.a. Phantom)

[Phantom] Filter/Decision block not seeing created artifact

crayford
Explorer

I used a custom function that parses out email addresses from an alert, I used the phantom.add_artifact function to add the artifact to the container. I am then using a filter to check for the artifact ("artifact:*.label", "==", "notiresponse"). It evaluates as false each time even though if I check the container it is there. What can I do to ensure that the filter is seeing this artifact? When I check the debug log, I can see the loop checking against all of the artifacts in the container except for the one I am creating via custom function. We have multiple playbooks that do this, but this one, in particular, is giving me trouble. 

Labels (2)
1 Solution

phanTom
SplunkTrust
SplunkTrust

@crayford it sounds like you are hitting a scope issue. As the new artifact is created in the playbook run, the playbook is not aware of the new item unless you tell it to look by setting the correct scope when required. 

Depending on the version of Phantom you are using there are 2 ways to fix this:

pre-v5.0.1 - In your filter or decision (or any block) where you need to query the new artifact, update the phantom.x() API call to include `scope = 'all'` 

Below are the 3 main calls where scope can be set to see newly created artifacts
phantom.condition docs: https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/PlaybookAPI#condition 
phantom.decision docs: https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/PlaybookAPI#decision 
phantom.collect2 docs: https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/DataAccessAPI#collect2 

v5.0.1 - On the custom function block (Utility) you can select "Refresh event data" on the settings of the function block and this will update the "container" variable so that new items created in the function can be seen. 

Hope this helps! Happy Phantoming  Splunk SOAR-ing 😄 

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@crayford it sounds like you are hitting a scope issue. As the new artifact is created in the playbook run, the playbook is not aware of the new item unless you tell it to look by setting the correct scope when required. 

Depending on the version of Phantom you are using there are 2 ways to fix this:

pre-v5.0.1 - In your filter or decision (or any block) where you need to query the new artifact, update the phantom.x() API call to include `scope = 'all'` 

Below are the 3 main calls where scope can be set to see newly created artifacts
phantom.condition docs: https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/PlaybookAPI#condition 
phantom.decision docs: https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/PlaybookAPI#decision 
phantom.collect2 docs: https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/DataAccessAPI#collect2 

v5.0.1 - On the custom function block (Utility) you can select "Refresh event data" on the settings of the function block and this will update the "container" variable so that new items created in the function can be seen. 

Hope this helps! Happy Phantoming  Splunk SOAR-ing 😄 

bobnosn
Engager

Very helpful answer, thanks!

0 Karma

crayford
Explorer

That worked!  Thanks for the  help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...