Splunk SOAR

How to create dynamic custom functions?

Dave_Burns
Path Finder

Hoping someone can help me get past the last hurdle. 

I'm trying to create a custom function that dynamically calls other custom functions. 

I've got the part of generating the list of desired functions. 

I understand how to make sure the datapath into the dynamically selected custom function. 

I want to pass the results out to a filter object, but it seems to be coming out only as a single variable. not an array.

What am I missing? 

 

def rule_check(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('rule_check() called')
    
    custom_function_results_data_1 = phantom.collect2(container=container, datapath=['build:custom_function_result.data.data_packets.*.packet'], action_results=results)
    custom_function_results_data_2 = phantom.collect2(container=container, datapath=['get_funcs:custom_function_result.data.found_functions.*.function_path'], action_results=results)
    custom_function_results_item_1_0 = [item[0] for item in custom_function_results_data_1]
    custom_function_results_item_2_0 = [item[0] for item in custom_function_results_data_2]

    rule_check__data = None

    ################################################################################
    ## Custom Code Start
    ################################################################################

    # Write your custom code here...

    parameters = []

    for item0 in custom_function_results_data_1:
        parameters.append({
            'data_w_fields': item0[0],
        })        
        
    for func in custom_function_results_item_2_0:
        a = phantom.custom_function(custom_function=func, parameters=parameters, name='rule_check')

    ################################################################################
    ## Custom Code End
    ################################################################################

    phantom.save_run_data(key='rule_check:data', value=json.dumps(rule_check__data))
    filter_1(container=container)

    return

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

Dave_Burns
Path Finder

I'll post a reply to myself, in case someone else wonders the same thing. 

In this particular case, you've got literally just run a for loop of all the custom functions, w/ the callback baked in. Then add in the return. This forces it to ignore the custom code end.  (Making it abit of a dead path)

Not ideal programmatically, but it works. 

View solution in original post

0 Karma

Dave_Burns
Path Finder

I'll post a reply to myself, in case someone else wonders the same thing. 

In this particular case, you've got literally just run a for loop of all the custom functions, w/ the callback baked in. Then add in the return. This forces it to ignore the custom code end.  (Making it abit of a dead path)

Not ideal programmatically, but it works. 

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...