Splunk SOAR

Phantom / SOAR duplication of results using action_result.add_data()

turtles
New Member

Hi Guys,

I am trying to learn Phantom app development using an on-prem phantom installation, and have come across really weird behavior with adding data to action_results.

If I have some data I want to add, say:
data = ["abc", "def", "ghi", "jkl"]
it makes sense that I might want to do something like:

for each d in data:
    action_result.add_data(d)

and expect to get an action result with 4 entries... instead what results is that I get an action result with 4 duplicates of the above data, effectively 16 entries:

[["abc", "def", "ghi", "jkl"], ["abc", "def", "ghi", "jkl"], ["abc", "def", "ghi", "jkl"], ["abc", "def", "ghi", "jkl"]]

Maybe this is intended behavior? To me this is weird, but since this is in my own app I just have to find ways to get around it. However, this behaviour also exists in all the other apps such as the splunk app.

If I use the splunk app to make a search against my splunk instance say with the query

index=test | head 6

then I would expect to get 6 results, however since the splunk app is also iterating over the results it recieves and uses the add_data method, the action results end up being 6 duplicate lists of 6 entries, so effectively 36 results. I am unable to parse this in any playbook blocks. If I write JUST custom code blocks then I can extract the desired results but then what is the point of playbooks if I am just writing everything in python code anyway. Also what if I expect my search to return 1000 results? Having the action result grow exponentially means that the action result will be 1,000,000 items which gets ridiculous.

Is this expected behaviour? if so how do I get the results using the GUI playbook editor?

Or is my Phantom instance borked somehow? (I ran the normal installer, haven't made any changes to my instance)

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...