Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to loop on custom list rows in SOAR/Phantom?

ben_r
Engager
‎11-08-2022 09:11 AM

I have a playbook that adds a row to a custom list for each task that can't be processed at runtime, and I'm building a second timer-driven playbook that should retry each of those actions. Each row has five columns, four for the values needed to attempt the action and a counter that should be incremented for each retry (after five tries, it should remove the row and alert that the task can't be performed automatically). 

I can use phantom.get_list() (and capturing only the third element, which is the list contents) to get the contents of the custom list into the retry playbook as a Python list, but I'm having trouble coming up with a way to iterate through them. I've tried the recommendation in another question/answer (https://community.splunk.com/t5/Splunk-SOAR-f-k-a-Phantom/How-do-you-achieve-quot-for-quot-loops/m-p...), but passing the retrieved list from a code block into a format block with 

%%
{0}
%%

as the format, then doing a python.debug on format_1:formatted_data.* just returns the monolithic list once. The behavior I need is for it to spin up the code block for each row of the incoming list.

Is this possible with Phantom? If so, is this approach correct, and what might I be doing wrong here?

Labels (1)
Labels
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎11-08-2022 09:28 AM

@ben_r Everything is possible in SOAR/Phantom! The fun is trying to find the most stable & efficient way 😃

It's great you are trying to use the VPE capabilities for this and you always should 1st but, I feel like this will need a Custom Function or 2 to make it work in the way you want. As you are possibly removing items from the list I would recommend building the whole list and using the phantom.set_list() api that will overwrite the list. I have found updating custom lists can be tricky if adding and removing items unless you just rebuild and overwrite.  

I would call out though that custom lists are stored as a single object in the DB so lots of read & write activity may mean it can not be trusted to always be correct.  

I would see the flow as:

  1. Custom function to retrieve and parse the items needed to re-run 
  2. run actions
  3. Custom Function to work out which ones failed and which succeeded, rebuild the list and overwrite the list. 

I can't 100% picture your usage of the list data but am happy to try and help more if you want. 

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top