@Izzet This is the `add_task` API call and this does not (AFAIK) create a note. You can use the phantom.add_note() and stipulate a task_id to assign the note to a task. I believe that markdown is now the default so any notes added will accept/interpret markdown. The docs don't seem to point to setting Markdown or HTML. All I know is any notes in HTML from 4.8 or previous need to be manually set to HTML for it to be properly interpreted. https://docs.splunk.com/Documentation/Phantom/4.9/PlaybookAPI/ContainerAPI#add_note If this helped, please give a like below!
... View more
@Izzet if you use the format block's list interpretation (https://docs.splunk.com/Documentation/Phantom/4.9/PlaybookAPI/PlaybookAPI#format) then you can use the .* output. In your format block you should put: %%
%% Then when you use the .* output the action block knows it's getting a list and will create the relevant for loop to iterate though each one. As a side note, did you know the filter/decisions are CIDR aware? So you can use them to determine if they are in a known CIDR range (internal/RFC1918) or not without a custom function 😄 For example you can put the IP (single or list) into the top field in a filter/decision condition, then use 'is in' then put the CIDR range in the final condition field, see below: <IP_VALUE>
192.168.0.0/16 If this helped please drop a like below!
... View more