Splunk SOAR

Call API to get results from prompt?

nhammSplunk
Explorer

In a custom code block given the following psuedo code:

def promptIpToBlock(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):    
    phantom.debug('promptIpToBlock() called')

    # set user and message variables for phantom.prompt call
    user = phantom.get_run_data("logged_in_user")
    message = """Enter IP/CIDR addresses to be blocked"""

    #responses:
    response_types = [
        {
            "prompt": "",
            "options": {
                "type": "message",
            },
        },
    ]

    phantom.prompt2(container=container, user=user, message=message, respond_in_mins=5, name="prompt_ip_to_block", response_types=response_types, callback=checkIpAgainstWhitelist)

return

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    myVar = phantom.get_run_data(key='prompt_ip_to_block')
    phantom.debug("myVar: {}".format(myVar))

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["(phantom.valid_ip(promptIpToBlock:action_result.summary.responses.0) or phantom.valid_net(promptIpToBlock:action_result.summary.responses.0))", "==", "true"],
        ])

    # call connected blocks for 'else' condition 4
    join_formatBlockParamteres(action=action, success=success, container=container, results=results, handle=handle)

return

'myVar' doesn't show up in checkIPAgainstWhitelist(). Am I using the correct API call to get the data from promptIpToBlock()?

Labels (1)
Tags (1)
0 Karma
1 Solution

nhammSplunk
Explorer

Here's the answer, use 'results'.

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('checkIpAgainstWhitelist() called')

    myUserResponse = results[0]['action_results'][0]['message']

return

View solution in original post

0 Karma

iqbalhonnur
New Member

Hello there, I am new to splunk - I tried the above solution - but the issue is the call back function is getting executed before user enters the input in prompt, which is resulting in results being a NoneType datatype - can someone help me out on this, 

0 Karma

nhammSplunk
Explorer

Here's the answer, use 'results'.

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('checkIpAgainstWhitelist() called')

    myUserResponse = results[0]['action_results'][0]['message']

return
0 Karma

phantom_mhike
SplunkTrust
SplunkTrust

Im not completely certain I follow the question. It seems you executed a prompt2 within the context of a custom function?

If that is the case, you can still access the data you need as long as you specified a name and a callback for the prompt2. If you didnt specify a name then you will have a hard time manually specifying the action results. If you dont define a callback then the playbook wont wait for the prompt to be addressed and your results will always be null. The VPE doesnt know to look for the action results from custom functions like that so you will have to specify them manually:

nhammSplunk
Explorer

I've updated the code and question. This should add clarification.

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...