Splunk SOAR

How to get app action result in a playbook?

CS_
Path Finder

Hi all,

I have a stream of events which come in to SOAR.

When the event is loaded in SOAR, a playbook runs against it automatically - and this calls an App action, which completes successfully and returns data.

In another playbook, which will be manually run, how do I access the data returned by the App action?

Do I need to save the app action data as a new artifact, and call it that way, or is there a way to list all app actions in a container, and get the app action ID, and retrieve the data?

Thanks!

Labels (2)
Tags (4)
0 Karma
1 Solution

CS_
Path Finder

I think i've found a way to do this.

In my initial playbook, when an app function runs, I call "phantom.save_object" and save the data that way.

Then in a later playbook, i can do "phantom.get_object" which will pull back the saved object in my container.

This seems to work fine for my purposes.

Details on save/get object are here for anyone who is interested in reading up on them:

https://docs.splunk.com/Documentation/Phantom/4.10.3/PlaybookAPI/DataManagementAPI

View solution in original post

CS_
Path Finder

I think i've found a way to do this.

In my initial playbook, when an app function runs, I call "phantom.save_object" and save the data that way.

Then in a later playbook, i can do "phantom.get_object" which will pull back the saved object in my container.

This seems to work fine for my purposes.

Details on save/get object are here for anyone who is interested in reading up on them:

https://docs.splunk.com/Documentation/Phantom/4.10.3/PlaybookAPI/DataManagementAPI

phanTom
SplunkTrust
SplunkTrust

@CS_  great job finding this but may I ask what version of SOAR you are using? If 5.x then you can simply pass the value as an output on one playbook and then retrieve or pass that value through to other playbooks/functions to do what you need. 

Also have you considered just using REST to get the action_run details when you need them rather than having to persist some data?

Example: /rest/action_run?_filter_container="<id>"&_filter_name="<action_name>"

This will return the ID along with other information about the run.

https://docs.splunk.com/Documentation/SOARonprem/5.2.1/PlatformAPI/RESTRunAction 
https://docs.splunk.com/Documentation/SOARonprem/5.2.1/PlatformAPI/RESTQueryData 
https://docs.splunk.com/Documentation/SOARonprem/5.2.1/PlaybookAPI/SessionAPI 

With the above you could build a custom function to do this for you without having to write the save_object & get_object calls in each playbook you need this capability in. 

CS_
Path Finder

Hey @phanTom 

I'm using SOAR  Cloud 5.2.

So it's kind of a weird one -

An event comes in, Playbook A runs automatically, which enriches the event with additional data.

Then at a later date, an analyst may decide to run Playbook B, which creates a ticket in our Case Management System.

So I don't think we can run action from A, and pass the result to B, because B is run manually (or maybe not even at all!).

Getting the action_run details through REST looks like another good way to do what we need - I'll take a look into that. The persisting data isn't that much of a concern, as we have left auto_delete=True, so when the container is closed, these objects are removed.

Is there a way to call the RESTQueryData inside a SOAR playbook?

e.g. phantom.query("QueryData") or something? I don't think I have ever tried to use a rest query like that in SOAR. I can do it with CURL but no idea how to do in a Playbook.

I might have another potential solutions in the phantom.save_run_data() and phantom.get_run_data() although I haven't actually tried those yet.

0 Karma

phanTom
SplunkTrust
SplunkTrust

@CS_ yeah I realised the playbook input/output wouldn't work when I re-read your original question 😄 

As for using REST in a playbook there are 2 ways:

1. HTTP app to query REST and then use the response_body downstream
2. Custom Function using the phantom.requests() capability. 

An example piece of code to get some data from the action_run endpoint would look something like:

url = phantom.build_phantom_rest_url('action_run')
params = [('_filter_container', '"<id>"'(, ('_filter_name', '"<action_name>"'), ('page_size', 0)]

r = phantom.requests.get(url, params=params, verify=False)
try:
    response = json.loads(r.text)
except Exception as e:
    phantom.debug(f"Something went wrong: {e}")

Then <do something with the response data such as grab the ID>:
action_id = response['data'][0].get('id')

 ^^ was written from memory so "should" work but may need tweaking 😄 

CS_
Path Finder

Awesome, thanks a lot for the input, I've definitely learned form it 😁

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...