Splunk SOAR

How do you achieve "for" loops?

rivaanb
Engager

Hi,

We've been trying to use "for loop" logic within playbook app actions. Although, there seems to be no way to achieve this out of the box.

Example, we use the action "get file" - this action only accepts one machine id at a time . We want to get multiple files via this action (for each item, send to "get file"), therafter send each file through a sub playbook and then return all outputs to a prompt in the main playbook with enrichment.

Labels (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@rivaanb 
SOAR already uses loops to build parameter lists to pass into actions. Once you understand how the platform passed information into and out of actions it's not too bad 😄 

It depends where you are getting the id's but, if you can build a list of id's to pass into 'get_file' in a Code Block, output them as a python list, then pass into a format block:
%%
{0}
%%

0 = your python list of id's

Then in the 'get_file' action use the '...formatted_data.*' output from the format block, you will see SOAR create a for loop and loop through each value, add it to a parameters list then call the action. 

I suspect the get_file will then just provide a vaultId for the file(s) it got. If so then you just need to pass those vaultId values to your input-playbook. 

The prompt is tricker and IMO If there is a lot of enrichment data I usually add note(s) to a task and then provide a "determination playbook" for the user to run once they have read and understood the note(s). This stops the automation hanging waiting for a prompt response and makes the system more efficient from my exp.

Happy SOARing - If this helped please mark as a solution or feel free to ask more questions. 

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@rivaanb 
SOAR already uses loops to build parameter lists to pass into actions. Once you understand how the platform passed information into and out of actions it's not too bad 😄 

It depends where you are getting the id's but, if you can build a list of id's to pass into 'get_file' in a Code Block, output them as a python list, then pass into a format block:
%%
{0}
%%

0 = your python list of id's

Then in the 'get_file' action use the '...formatted_data.*' output from the format block, you will see SOAR create a for loop and loop through each value, add it to a parameters list then call the action. 

I suspect the get_file will then just provide a vaultId for the file(s) it got. If so then you just need to pass those vaultId values to your input-playbook. 

The prompt is tricker and IMO If there is a lot of enrichment data I usually add note(s) to a task and then provide a "determination playbook" for the user to run once they have read and understood the note(s). This stops the automation hanging waiting for a prompt response and makes the system more efficient from my exp.

Happy SOARing - If this helped please mark as a solution or feel free to ask more questions. 

Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...