Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Usage of the phantom action -> phantom app -> find artifacts action

MimiThePrince
New Member
‎06-03-2021 12:04 PM

Hi team,

 

I'm using Phantom to create playbooks and I would like to know how the find artifact is used when I create a phantom action block -> phantom app -> find artifacts action.

When I create the block I get this code:

 

 

def find_artifacts_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('find_artifacts_1() called')
        
    #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
    
    # collect data for 'find_artifacts_1' call

    parameters = []
    
    # build parameters list for 'find_artifacts_1' call
    parameters.append({
        'values': "",
        'exact_match': "true",
        'limit_search': "",
        'container_ids': "current",
    })

    phantom.act(action="find artifacts", parameters=parameters, assets=['phantom'], name="find_artifacts_1")

    return

 

 

But what should I put in the "values"? I tried using a created artifact name like "artifact:test.example" where "test" is the label and "example" is the is the source ID of the artifact that I've already created.

But I'm getting 0 artifacts as a results: Message: "Artifacts found: 0"

And also what the containers_ids refers to? Does it refers to a list of the containers IDs separated with comma or a python list? etc...

Because there is no available documentation explaining this.

Even this page (https://my.phantom.us/4.6/docs/automation/artifacts) doesn't contain a native API that allows me to understand how to find an artifact. Also the recent versions >4.6 of that page are blank...

 

Thank you for your help  

Labels (1)
Labels
Tags (1)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎06-11-2021 07:05 AM

@MimiThePrince the find_artifacts action will look for CEF values inside artifacts in containers on the platform. 

The values entry is the value inside the artifact you want. This doesn't work for the artifact metadata such as name/description/label etc, only what is IN the artifact as CEF fields/values. 

The default is to search ALL containers for the value. However, if you want to restrict the search to just a selection of containers then you can provide a comma-separated list of container ids to the action and tick the 'limit search' option to force the action to only look at those containers. If an action asks for a comma-separated list it does not need to be a python list  object ([]) as this will/should be handled via the action code. You just need to put a comma-separated string of ids if you want to use the restrictive capability. 

Please mark the solution if this answered your question.

phanTom_0-1623420205544.png

The above searched ALL containers for an artifact that contained a value of 8.8.8.8. 

If you need to find artifacts based on label then at present I think REST to /rest/artifact with filtering is the way you can get their id's and even filter for specific names/labels etc. 
https://docs.splunk.com/Documentation/Phantom/4.10.4/PlatformAPI/RESTQueryData 
https://docs.splunk.com/Documentation/Phantom/4.10.4/PlatformAPI/RESTArtifacts 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...