Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Usage of the phantom action -> phantom app -> find artifacts action

MimiThePrince
New Member
‎06-03-2021 12:04 PM

Hi team,

 

I'm using Phantom to create playbooks and I would like to know how the find artifact is used when I create a phantom action block -> phantom app -> find artifacts action.

When I create the block I get this code:

 

 

def find_artifacts_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('find_artifacts_1() called')
        
    #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
    
    # collect data for 'find_artifacts_1' call

    parameters = []
    
    # build parameters list for 'find_artifacts_1' call
    parameters.append({
        'values': "",
        'exact_match': "true",
        'limit_search': "",
        'container_ids': "current",
    })

    phantom.act(action="find artifacts", parameters=parameters, assets=['phantom'], name="find_artifacts_1")

    return

 

 

But what should I put in the "values"? I tried using a created artifact name like "artifact:test.example" where "test" is the label and "example" is the is the source ID of the artifact that I've already created.

But I'm getting 0 artifacts as a results: Message: "Artifacts found: 0"

And also what the containers_ids refers to? Does it refers to a list of the containers IDs separated with comma or a python list? etc...

Because there is no available documentation explaining this.

Even this page (https://my.phantom.us/4.6/docs/automation/artifacts) doesn't contain a native API that allows me to understand how to find an artifact. Also the recent versions >4.6 of that page are blank...

 

Thank you for your help  

Labels (1)
Labels
Tags (1)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎06-11-2021 07:05 AM

@MimiThePrince the find_artifacts action will look for CEF values inside artifacts in containers on the platform. 

The values entry is the value inside the artifact you want. This doesn't work for the artifact metadata such as name/description/label etc, only what is IN the artifact as CEF fields/values. 

The default is to search ALL containers for the value. However, if you want to restrict the search to just a selection of containers then you can provide a comma-separated list of container ids to the action and tick the 'limit search' option to force the action to only look at those containers. If an action asks for a comma-separated list it does not need to be a python list  object ([]) as this will/should be handled via the action code. You just need to put a comma-separated string of ids if you want to use the restrictive capability. 

Please mark the solution if this answered your question.

phanTom_0-1623420205544.png

The above searched ALL containers for an artifact that contained a value of 8.8.8.8. 

If you need to find artifacts based on label then at present I think REST to /rest/artifact with filtering is the way you can get their id's and even filter for specific names/labels etc. 
https://docs.splunk.com/Documentation/Phantom/4.10.4/PlatformAPI/RESTQueryData 
https://docs.splunk.com/Documentation/Phantom/4.10.4/PlatformAPI/RESTArtifacts 

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top