Solved: How do you achieve "for" loops?

rivaanb · ‎10-04-2022

Hi,

We've been trying to use "for loop" logic within playbook app actions. Although, there seems to be no way to achieve this out of the box.

Example, we use the action "get file" - this action only accepts one machine id at a time . We want to get multiple files via this action (for each item, send to "get file"), therafter send each file through a sub playbook and then return all outputs to a prompt in the main playbook with enrichment.

phanTom · ‎10-04-2022

@rivaanb
SOAR already uses loops to build parameter lists to pass into actions. Once you understand how the platform passed information into and out of actions it's not too bad 😄

It depends where you are getting the id's but, if you can build a list of id's to pass into 'get_file' in a Code Block, output them as a python list, then pass into a format block:
%%
{0}
%%

0 = your python list of id's

Then in the 'get_file' action use the '...formatted_data.*' output from the format block, you will see SOAR create a for loop and loop through each value, add it to a parameters list then call the action.

I suspect the get_file will then just provide a vaultId for the file(s) it got. If so then you just need to pass those vaultId values to your input-playbook.

The prompt is tricker and IMO If there is a lot of enrichment data I usually add note(s) to a task and then provide a "determination playbook" for the user to run once they have read and understood the note(s). This stops the automation hanging waiting for a prompt response and makes the system more efficient from my exp.

Happy SOARing - If this helped please mark as a solution or feel free to ask more questions.

View solution in original post

phanTom · ‎10-04-2022

@rivaanb
SOAR already uses loops to build parameter lists to pass into actions. Once you understand how the platform passed information into and out of actions it's not too bad 😄

It depends where you are getting the id's but, if you can build a list of id's to pass into 'get_file' in a Code Block, output them as a python list, then pass into a format block:
%%
{0}
%%

0 = your python list of id's

Then in the 'get_file' action use the '...formatted_data.*' output from the format block, you will see SOAR create a for loop and loop through each value, add it to a parameters list then call the action.

I suspect the get_file will then just provide a vaultId for the file(s) it got. If so then you just need to pass those vaultId values to your input-playbook.

The prompt is tricker and IMO If there is a lot of enrichment data I usually add note(s) to a task and then provide a "determination playbook" for the user to run once they have read and understood the note(s). This stops the automation hanging waiting for a prompt response and makes the system more efficient from my exp.

Happy SOARing - If this helped please mark as a solution or feel free to ask more questions.

How do you achieve "for" loops?

development

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!