Data access(collect2) bug in phantom v6.1.0

dennyw · ‎11-09-2023

Please help comment on below issue

Bug description:

Option limit is not processed correctly for phantom.collect2 in phantom version 6.1.0

Reproduce in lab:

testb = phantom.collect2(container=container,tags=["test"], datapath=['artifact:*.name'],limit=0)
phantom.debug(len(testb))

There are more than 6000 artifacts in test container

However, phantom.collect2 can only return 1999 results even though we set limit=0 which means no limit

Nov 09, 11:19:01 : phantom.collect2(): called for datapath['artifact:*.name'], scope: None and filter_artifacts: None
Nov 09, 11:19:01 : phantom.get_artifacts() called for label: *
Nov 09, 11:19:01 : phantom.collect(): called with datapath: artifact:* / <class 'str'>, limit = 2000, scope=all, filter_artifact_ids=[] and none_if_first=False with trace:False
Nov 09, 11:19:01 : phantom.collect(): calling out to collect_from_container
Nov 09, 11:19:01 : phantom.collect(): called with datapath 'artifact:*', scope='all' and limit=2000. Found 2000 TOTAL artifacts
Nov 09, 11:19:01 : phantom.collect2(): Classified datapaths as [<DatapathClassification.ARTIFACT: 1>]
Nov 09, 11:19:01 : phantom.collect(): called with datapath as LIST of paths, scope='all' and limit=0. Found 1999 TOTAL artifacts
Nov 09, 11:19:01 : 1999

Data access(collect2) bug in phantom v6.1.0

using SOAR ⁄ Phantom

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?