I'm trying to get at the results of a phantom.act() action run, more specifically the Splunk HTTP app "get file" action.
Something as simple as:
# inside a custom code block
def get_action_results(**kwargs):
phantom.debug(action)
phantom.debug(success)
phantom.debug(results)
phantom.debug(handle)
return
phantom.act('get file', parameters=[{'hostname': '', 'file_path': '/path/to/file'}], assets=["web_server"], callback=get_action_results)
The action will run as expected, however the callback isn't getting the results output. Am I misunderstanding callbacks in this scenario?
I'm not familiar with the HTTP app so can't speak directly to this specific example, but I can answer your question at the end: Yes you are.
The way callback works is it looks for another playbook block by that name, not a function defined within the same block. So what you can do is use the standard HTTP action block and move get_action_results to its own playbook block. SOAR will understand that you want to input the values from the action calling the callback.
Looking at your reply on the other thread, something that may be helpful would be writing a loop to separate each URL and run through the process one by one. It's slower and more resource intensive, but that way you don't need to worry about keeping track of multiple results at once.
@cmg I do have to ask why you are doing it this way? The app framework removes all of this necessity 😄
As my old mentor said "Use the platform Luke...erm Tom" 😄
Why not just use the HTTP action and then select the data returned by using the relevant datapath downstream. The HTTP app doesn't show you all the returned fields in the playbook datapaths as the dev couldn't know all returned so stopped at "response_body" or "parsed_response_body". You have to write the path to the returned data yourself.
Best way is to run the action, select it in the activity pane of the container, find the value you want in the JSON presented and click on the key in the window. There should be a datapath -type thing at the top. 0 = * and > = . in the datapath you put in the playbook.
-- Hope this helped! If it solved your issue please mark as a solution for future questions on the same thing. Happy SOARing! --
Normally I would, however I am running into an issue where:
1. I am querying a file attachment from ServiceNow that returns download URL(s) (can be an arbitrary number of URLs) presented by the API.
2. The URL(s) contain the file sys_id, e.g. "/api/now/1111111122222233333/file", and do not offer a way to download as the file name, requiring it to be renamed once in the container vault.
3. The HTTP app downloads the URL(s) as the generic file name "file" in a container vault and creates a vault_id.
4. I need to rename that file to the correct file name (from the ServiceNow data), using a bit of vault_add() magic.
Step 4 is where I lose the ability to reliably associate the original file name (via the Service Now sys_id) with the vault_id when passing multiple URLs. I don't see an easy or reliable way to capture the original file name and associate it with the correct vault_id.
The attempted work-around thought is using phantom.act() in this manner where I can control the loop and guarantee the correct vault_id.