Splunk SOAR

Container automation API compatibility with custom functions

jeffrey_berry
Path Finder

Per the Container automation API docs , "the update API is supported from within a custom function". However for the following code, the "Validate" fails with "Undefined variable 'container' "

update_data = {}
update_data['name'] = 'new container name'
phantom.update(container, update_data)

What is the fix?

Labels (1)
0 Karma

jeffrey_berry
Path Finder

def change_event_name(container=None, **kwargs):
"""
Args:
container

Returns a JSON-serializable object that implements the configured data paths:

"""

############################ Custom Code Goes Below This Line #################################
import json
import phantom.rules as phantom

outputs = {}

# Write your custom code here...
update_data = {}
update_data['name'] = 'new container name'
phantom.update(container, update_data)

# Return a JSON-serializable object
assert json.dumps(outputs) # Will raise an exception if the :outputs: object is not JSON-serializable
return outputs
0 Karma

P_vandereerden
Splunk Employee
Splunk Employee

I don't know this area well, but the error suggests an issue with "container", and not "update". Within your custom function you are using container, but it would seem it's not defined. How are you passing "container" into your function? 

Paul van der Eerden,
Breaking software for over 20 years.
0 Karma

jeffrey_berry
Path Finder

I tried passing the container class object as an input (item or list type) and not passing as an input also, but it does not work either way. The entire custom function with passing a container class object input is below. The error from debugging the playbook is below. Since the only custom function input types are item or list, it appears that it is not possible to pass a class object type as a custom function input. If so, I would guess that an unknown phantom function needs to be executed in the custom function that returns the container class object.

Does anyone if a phantom class object function (or some other Splunk SOAR Python library function) exists that returns the container class object? Or some other way to get the phantom.update() function to work within a custom function?

def change_event_name(**kwargs):
"""
Returns a JSON-serializable object that implements the configured data paths:

"""
############################ Custom Code Goes Below This Line #################################
import json
import phantom.rules as phantom

outputs = {}

# Write your custom code here...
update_data = {}
update_data['name'] = 'new container name'
phantom.update(container, update_data)

# Return a JSON-serializable object
assert json.dumps(outputs) # Will raise an exception if the :outputs: object is not JSON-serializable
return outputs

 

Jun 14, 19:04:13 : CustomFunctionRun with id=4043 FAILED: The custom function run is being marked failed because all of its constituent results failed Error: Encountered an unhandled exception in custom function "change_event_name" for the parameter dictionary at index=0: {'container': 'container'} Traceback (most recent call last): File "change_event_name", line 56, in cfentry File "lib3/phantom/decided/playbook_resource_score.py/playbook_resource_score.py", line 123, in _wrapper File "change_event_name", line 21, in change_event_name File "lib3/phantom/api/container/api_update.py/api_update.py", line 118, in update File "lib3/phantom/utils.py/utils.py", line 1166, in inner File "lib3/phantom/api/container/api_update.py/api_update.py", line 125, in _update TypeError: string indices must be integers

Tags (1)
0 Karma

SOARt_of_Lost
Path Finder

I wish I had a better answer for you, but after doing some testing, phantom.update() just doesn't seem to want to work from within a custom function. There are other functions which have the same problem but it's usually called out in the documentation. 

What you've written works perfectly from within a custom code block in a playbook. You may just need to make a single block playbook you can call from a parent if you're planning to use this in multiple places.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...