This Custom Function example can be used to have a new Artifact created in the current container with the event data returned from a Splunk query executed in a previous playbook block:
def add_notable_event_Artifact(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('add_notable_event_Artifact() called')
results_data_1 = phantom.collect2(container=container, datapath=['run_Notable_query:action_result.data'], action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
add_notable_event_Artifact__notable_artifact = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
notable_artifact_json = results_item_1_0[0][0]
# phantom.debug(notable_artifact_json)
# Find and replace any JSON Keys which have a "." or "::" in them to have an underscore
for k, v in notable_artifact_json.iteritems():
if "." in k or "::" in k or "(" in k or ")" in k:
new_key = k.replace('.', '_').replace('::', '_').replace('(', '_').replace(')', '_')
notable_artifact_json[new_key] = notable_artifact_json.pop(k)
# Add "Notable Event Artifact" to Phantom Event
success, message, artifact_id = phantom.add_artifact(container=container['id'],
raw_data={},
cef_data=notable_artifact_json,
label="notable",
name="Notable Event Artifact",
severity="medium",
identifier=None,
artifact_type="notable",
field_mapping=None,
trace=False,
run_automation=False)
# phantom.debug(success)
# phantom.debug(message)
# phantom.debug(artifact_id)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='add_notable_event_Artifact:notable_artifact', value=json.dumps(add_notable_event_Artifact__notable_artifact))
return
... View more