Chaining action results and datapath issue

ponqersohn · ‎10-18-2021

Hi,

Say we have an action (lets call it Action1) that returns this under data:

[
{"type": "type1", "target": "target value1"},
{"type": "type2", "target": "target value2"}
]

I want to pass the target to another action (Action2) as parameter so I use action_result.data.*.target datapath to do it.

the action returns this:

[
{"result_from_action": "result_for target value1"},
{"result_from_action": "result_for target value2"}
]

Each row corresponds to the input row.

We have a third action (lets call it Action3) that accepts two parameters - the type from Action1 and the result_from_action from Action2 , So i pass:
- action_result.data.*.type from Action1
- action_result.data.*.result_from_action from Action2

I want the Action3 to be executed 2 times - for two pairs "type1", "result_for target value1" and "type2", "result_for target value2" but in reality the action will be executed 4 times for all the possible permutations.

I understand why is this happening but im curious if there's a good way to force the platform to do what i need (without using custom functions to build another list and use it as input).

Thanks!

Chaining action results and datapath issue

development

using SOAR ⁄ Phantom

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?