Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to loop on custom list rows in SOAR/Phantom?

ben_r
Engager
‎11-08-2022 09:11 AM

I have a playbook that adds a row to a custom list for each task that can't be processed at runtime, and I'm building a second timer-driven playbook that should retry each of those actions. Each row has five columns, four for the values needed to attempt the action and a counter that should be incremented for each retry (after five tries, it should remove the row and alert that the task can't be performed automatically). 

I can use phantom.get_list() (and capturing only the third element, which is the list contents) to get the contents of the custom list into the retry playbook as a Python list, but I'm having trouble coming up with a way to iterate through them. I've tried the recommendation in another question/answer (https://community.splunk.com/t5/Splunk-SOAR-f-k-a-Phantom/How-do-you-achieve-quot-for-quot-loops/m-p...), but passing the retrieved list from a code block into a format block with 

%%
{0}
%%

as the format, then doing a python.debug on format_1:formatted_data.* just returns the monolithic list once. The behavior I need is for it to spin up the code block for each row of the incoming list.

Is this possible with Phantom? If so, is this approach correct, and what might I be doing wrong here?

Labels (1)
Labels
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎11-08-2022 09:28 AM

@ben_r Everything is possible in SOAR/Phantom! The fun is trying to find the most stable & efficient way 😃

It's great you are trying to use the VPE capabilities for this and you always should 1st but, I feel like this will need a Custom Function or 2 to make it work in the way you want. As you are possibly removing items from the list I would recommend building the whole list and using the phantom.set_list() api that will overwrite the list. I have found updating custom lists can be tricky if adding and removing items unless you just rebuild and overwrite.  

I would call out though that custom lists are stored as a single object in the DB so lots of read & write activity may mean it can not be trusted to always be correct.  

I would see the flow as:

  1. Custom function to retrieve and parse the items needed to re-run 
  2. run actions
  3. Custom Function to work out which ones failed and which succeeded, rebuild the list and overwrite the list. 

I can't 100% picture your usage of the list data but am happy to try and help more if you want. 

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top