@Iñigo , we finally customized the HTTP app by just using the authentication taken from Graph apps. In our opinion, there is really no doubt about what is wrong: if you can specify a payload in OAuth and if HTTP supports OAuth, it must definetely provide the option to insert a payload, otherwise we can safely say that the app does not support OAuth really. However, waiting Splunk to understand and acknowledge such thought is like a miracle so we proceeded to customize the app. ... View more

Dear @phanTom, we already evaluated that way. Customizing the Graph app (which app exactly?) is a way we considered already but we do not like it. Customizing the app means to not be subjected to updates of the app itself or, equivalently, it means that we must customize every new version of the app. This is something that we do not prefer. For what concerns the use of the HTTP app, if you consider that: it supports OAuth; OAuth is the authentication/authorization method accepted also by Azure/Graph (https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http) We can just translate the problem into: why the HTTP app does not work with OAuth if it says that it is supported? What seems to be missing in the app, is the possibility to specify a payload for the POST request that retrieves the authentication token. In the following screenshot (taken from the URL reported above), you can observe a sample payload and a sample answer: For this reason, the question "why the HTTP app does not work with OAuth if it says that it is supported?" becomes "how to specify the payload for the OAuth POST request in the HTTP app?" or, equivalently, "why there is no possibility to specify a payload for the OAUTH POST request?"   Thank you in advance! ... View more

Hi @phanTom, did you miss the last answer? Is there a way to understand if and how could we get all the email IDs related to a specific email (e.g. given a subject and a sender or pivoting on other elements - which ones in that case?). Thank you in advance. Andrea ... View more

Hi @phanTom , thank you for your reply.   This is not answering our question, so let me try to write it better. Our target usecase is to: 1) Find all the users who have received an email with a particular subject/sender/string in the body and retrieving the related email IDs; 2) Delete such emails.   The (most important) point that seems not possible for now is the first one since when using the "run query" action from Exchange App you are required to specify the input field "email" that is the "User Mailbox to search in". For this reason, we do not see any app/action for Phantom that could help us retrieving such IDs. Is there a way to do that? ... View more

@phanTom  what we have to do is simple: when a container is closed we have to trigger an action ("update email") through the Exchange (on-premise) App. This is not a major feature of our use-case but it would be a "icing on the cake" because it would let us to understand something about an email without logging into Phantom. Given this, we would like a simple (to develop, test, integrate, test again) solution for such a minor feature.   However, just to evaluate it further, do you know where can I find APIs in order to query for the "status of a set of containers under a certain label"? Thank you. ... View more

Hi Tom, thank you for your answers. These are the same ideas come into my mind, but they cannot help. We don't like to create further containers just to close other ones, also considering the fact that we are dealing with tons of containers (we do not want "2xTonsOfContainers"). The same applies for externalization and, moreover, we have a very big external Splunk infrastructure... so to externalize is not trivial. Probably this is a product limitation 😞 ... View more

@phanTom  Thank you, I understand everything but I think that if someone put a limit of 1000 there should be a reason so I did not even suppose to go to remove that limit... If I do that it is very likely that I shorten and simplify my use case but break all the other actions of the app.  I understand that for cycles cannot be done easily generally speaking, but I prefer to go for the longer way rather than remove "limits" from software not written by me. Thank you for your help! ... View more

@phanTom  sorry but are you saying that it is written that cannot be used within a custom function but instead you use it and it works? I am trying to delete all the emails contained in a precise folder of a precise mailbox (much more than 1000. 1000 is the number that I found to be the undocumented number of emails that the EWS on-premise App can retrieve from a folder of a mailbox, indeed i made another question on this community for that topic) in one single container. Given that the upper limit is 1000, I am forced to cycle on the actions needed (run query, delete email) until the run query returns 0 emails. This is how the questions came up to me but now I am generally interested in how to implement "for cycles" is a single playbook as they would very useful for other use cases. Thank you   ... View more

@phanTom  thank you. Now I got the point.   Going back to last residual questions (and I will stop annoying you then :D): You said to me that I need a custom function to save an object but in the documentation you sent to me (Data management automation API - Splunk Documentation) it is written "The save_object API is not supported from within a custom function". So, how I am supposed to use it? Where can I save an object in the code of a playbook? Going back to the for cycle, what is the best way to implement it, according to your experience? Thank you ... View more

@phanTom  I am still not precisely understanding. I have clear the behaviour if only the Container ID is specified as context (Its scope will be within that container ID and its "life" will be more or less the same of the container), but what happens to the object if I do specify only a Playbook name? What will the scope of the object and its "life" be? It will live along all that Playbook runs? ... View more

Dear Phantom, as written before, I understand what you meant. Please navigate to the first URL provided by you (https://docs.splunk.com/Documentation/Phantom/4.10/PlatformAPI/RESTContainers) then press CTRL + F (find something in the page) then look for "DELETE": there are no results. My question is: where this information (i.e. use an HTTP DELETE to achieve Container deletion) is written? Is it so obvious so that it is it left as an implicit information? ... View more

@phanTom , what if I specify only a playbook as context? Do I achieve the "cross-containers" variable? If yes, how this object can be reset to its original value?   For what concerns for-cycles I'm just designing some use-cases but I have still not yet developed them. I would need a for cycle (i.e. some actions repeated on the same container until a condition is met) and I was just guessing how to achieve it (if possible).   Thank you ... View more

Dear Tom, thank you. I understand what you are writing and I would accept it as a solution but I cannot find any reference to DELETE requests in the link provided by you. Where it is written? Thank you again ... View more

Dear Tom, thank you. So just to recap and chech if I correctly understood: I can save a variable with the save_object() API and this can be done only through custom functions of a playbook right? I can save a variable with the save_object() and decide to set its context to be a playbook or a container, right? If the context is a container, that is fine since every playbook run on a now container will deal with a new_object (to be deleted optionally setting auto_delete=true) but what happens when saving the object in a playbook context? It is mantained cross-playbook until explicitly deleted or reset? For what concerns for-cycle I can trivially use a Decision block followed by some actions and link the last action back to the Decision block so that the desired actions run until a the condition in the decision block is met, right? Thank you again   ... View more

Thank you! ❤️  ... View more