I'm attempting to use the address_in_network function to compare results of a Splunk query against a custom list, and use matches to remove items from action_results.data of a that query, so that the remainder of the query results are easily accessible in following blocks. I've got the logic of accessing action_results.data, the custom list, and address_in_network all figured out - but I'm having a hard time figuring out exactly how to either remove items directly from action_results.data, or return my list of IP addresses in a type that a filter block can make use of, so that later blocks could just access filtered-data directly. My variable created for output, Build_IP_Whitelist__tofilter, is assigned a type of None in the code framework that I can't edit. I went ahead and cast it to a list and used append to build out that list, which returns without error from my custom function. The problem arises when I try to use that list for comparison in a following filter block: Wed Sep 23 2020 11:59:11 GMT-0400 (Eastern Daylight Time): phantom.condition(): condition 1 to evaluate: LHS: Build_IP_Whitelist:custom_function:tofilter OPERATOR: != RHS: Execute_External_IP_Query:action_result.data.*.dest_ip Wed Sep 23 2020 11:59:11 GMT-0400 (Eastern Daylight Time): phantom.condition(): ERROR: LHS of this condition statement is a list data type while RHS is not. For this expression and data types, '!=' is not a supported data operator. Use 'in' or 'not in' operators There's got to be a better data structure to fit my list of whitelist IPs into, but I'm having a hard time finding it in the documentation. Any pointers on that specifically, or a better approach to the general question?
... View more