Splunk SOAR (f.k.a. Phantom)

Call API to get results from prompt?

nhammSplunk
Explorer

In a custom code block given the following psuedo code:

def promptIpToBlock(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):    
    phantom.debug('promptIpToBlock() called')

    # set user and message variables for phantom.prompt call
    user = phantom.get_run_data("logged_in_user")
    message = """Enter IP/CIDR addresses to be blocked"""

    #responses:
    response_types = [
        {
            "prompt": "",
            "options": {
                "type": "message",
            },
        },
    ]

    phantom.prompt2(container=container, user=user, message=message, respond_in_mins=5, name="prompt_ip_to_block", response_types=response_types, callback=checkIpAgainstWhitelist)

return

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    myVar = phantom.get_run_data(key='prompt_ip_to_block')
    phantom.debug("myVar: {}".format(myVar))

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["(phantom.valid_ip(promptIpToBlock:action_result.summary.responses.0) or phantom.valid_net(promptIpToBlock:action_result.summary.responses.0))", "==", "true"],
        ])

    # call connected blocks for 'else' condition 4
    join_formatBlockParamteres(action=action, success=success, container=container, results=results, handle=handle)

return

'myVar' doesn't show up in checkIPAgainstWhitelist(). Am I using the correct API call to get the data from promptIpToBlock()?

Labels (1)
Tags (1)
0 Karma
1 Solution

nhammSplunk
Explorer

Here's the answer, use 'results'.

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('checkIpAgainstWhitelist() called')

    myUserResponse = results[0]['action_results'][0]['message']

return

View solution in original post

0 Karma

iqbalhonnur
New Member

Hello there, I am new to splunk - I tried the above solution - but the issue is the call back function is getting executed before user enters the input in prompt, which is resulting in results being a NoneType datatype - can someone help me out on this, 

0 Karma

nhammSplunk
Explorer

Here's the answer, use 'results'.

def checkIpAgainstWhitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('checkIpAgainstWhitelist() called')

    myUserResponse = results[0]['action_results'][0]['message']

return
0 Karma

phantom_mhike
Path Finder

Im not completely certain I follow the question. It seems you executed a prompt2 within the context of a custom function?

If that is the case, you can still access the data you need as long as you specified a name and a callback for the prompt2. If you didnt specify a name then you will have a hard time manually specifying the action results. If you dont define a callback then the playbook wont wait for the prompt to be addressed and your results will always be null. The VPE doesnt know to look for the action results from custom functions like that so you will have to specify them manually:

nhammSplunk
Explorer

I've updated the code and question. This should add clarification.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...