Splunk SOAR (f.k.a. Phantom)

Call API to get results from prompt?

nhammSplunk
Explorer

In a custom code block given the following psuedo code:

def promptIpToBlock(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):    
    phantom.debug('promptIpToBlock() called')

    # set user and message variables for phantom.prompt call
    user = phantom.get_run_data("logged_in_user")
    message = """Enter IP/CIDR addresses to be blocked"""

    #responses:
    response_types = [
        {
            "prompt": "",
            "options": {
                "type": "message",
            },
        },
    ]

    phantom.prompt2(container=container, user=user, message=message, respond_in_mins=5, name="prompt_ip_to_block", response_types=response_types, callback=checkIpAgainstWhitelist)

return

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    myVar = phantom.get_run_data(key='prompt_ip_to_block')
    phantom.debug("myVar: {}".format(myVar))

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["(phantom.valid_ip(promptIpToBlock:action_result.summary.responses.0) or phantom.valid_net(promptIpToBlock:action_result.summary.responses.0))", "==", "true"],
        ])

    # call connected blocks for 'else' condition 4
    join_formatBlockParamteres(action=action, success=success, container=container, results=results, handle=handle)

return

'myVar' doesn't show up in checkIPAgainstWhitelist(). Am I using the correct API call to get the data from promptIpToBlock()?

Labels (1)
Tags (1)
0 Karma
1 Solution

nhammSplunk
Explorer

Here's the answer, use 'results'.

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('checkIpAgainstWhitelist() called')

    myUserResponse = results[0]['action_results'][0]['message']

return

View solution in original post

0 Karma

iqbalhonnur
New Member

Hello there, I am new to splunk - I tried the above solution - but the issue is the call back function is getting executed before user enters the input in prompt, which is resulting in results being a NoneType datatype - can someone help me out on this, 

0 Karma

nhammSplunk
Explorer

Here's the answer, use 'results'.

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('checkIpAgainstWhitelist() called')

    myUserResponse = results[0]['action_results'][0]['message']

return
0 Karma

phantom_mhike
Path Finder

Im not completely certain I follow the question. It seems you executed a prompt2 within the context of a custom function?

If that is the case, you can still access the data you need as long as you specified a name and a callback for the prompt2. If you didnt specify a name then you will have a hard time manually specifying the action results. If you dont define a callback then the playbook wont wait for the prompt to be addressed and your results will always be null. The VPE doesnt know to look for the action results from custom functions like that so you will have to specify them manually:

nhammSplunk
Explorer

I've updated the code and question. This should add clarification.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...