Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Phantom: How to append each username from LDAP query result into an email body and send?

robertbuscato
New Member
‎09-17-2019 05:47 PM

Results from LDAP query:
user1
user2

I want to send an email for each of this users with the below email body separately:

Hi user1 (for user 1 email)

Hi user1 (for user 2 email)

And then send the email to each of these users.

====================================================================

The issue that I am facing is that currently, the email body looks like this:

Hi user1, user2

Though the email was successfully to each of these users.

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎09-20-2019 08:29 AM

Hello!

The easiest way to do this may be a custom code block.

In my environment, I have an LDAP query from an action block that feeds into a custom function. That function has the inputs:

get_users_1:action_result.data..emails.0
get_users_1:action_result.data..displayname

And the code looks like this:

def custom_function_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('custom_function_2() called')
    results_data_1 = phantom.collect2(container=container, datapath=['get_users_1:action_result.data.*.emails.0', 'get_users_1:action_result.data.*.displayname'], action_results=results)
    results_item_1_0 = [item[0] for item in results_data_1]
    results_item_1_1 = [item[1] for item in results_data_1]

    ################################################################################
    ## Custom Code Start
    ################################################################################

    for i in range(len(results_item_1_0)):
        parameters = []
        email_body = """
Hello{},

This is a test!
        """
        if results_item_1_0[i] == None:
            continue                    # don't send on empyt emails

        if results_item_1_1[i] == None:
            email_body = email_body.format("")
        else:
            email_body = email_body.format(" " + results_item_1_1[i])

        parameters.append({
            'body': email_body,
            'from': "<REDACTED>@gmail.com",
            'attachments': "",
            'to': results_item_1_0[i],
            'cc': "",
            'bcc': "",
            'headers': "",
            'subject': "Testing"
        })
        phantom.act("send email", parameters=parameters, assets=['gmail'], name="send_email_1")

    ################################################################################
    ## Custom Code End
    ################################################################################

In this way I am looping through the values and grabbing display name and email and smashing them together to send an email. I do a couple of lightweight error handling too:

  1. If the email field is None, we break out of that iteration of the loop to prevent failing to send.
  2. If the Displayname is empty then we just start the email with "Hello," instead of "Hello None,"

It would be possible to do this with artifacts and the like, but I think a short code block is more straightforward. Feel free to reach out to me on the Phantom-Community Slack (sam_phantom) to discuss.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎09-20-2019 08:29 AM

Hello!

The easiest way to do this may be a custom code block.

In my environment, I have an LDAP query from an action block that feeds into a custom function. That function has the inputs:

get_users_1:action_result.data..emails.0
get_users_1:action_result.data..displayname

And the code looks like this:

def custom_function_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('custom_function_2() called')
    results_data_1 = phantom.collect2(container=container, datapath=['get_users_1:action_result.data.*.emails.0', 'get_users_1:action_result.data.*.displayname'], action_results=results)
    results_item_1_0 = [item[0] for item in results_data_1]
    results_item_1_1 = [item[1] for item in results_data_1]

    ################################################################################
    ## Custom Code Start
    ################################################################################

    for i in range(len(results_item_1_0)):
        parameters = []
        email_body = """
Hello{},

This is a test!
        """
        if results_item_1_0[i] == None:
            continue                    # don't send on empyt emails

        if results_item_1_1[i] == None:
            email_body = email_body.format("")
        else:
            email_body = email_body.format(" " + results_item_1_1[i])

        parameters.append({
            'body': email_body,
            'from': "<REDACTED>@gmail.com",
            'attachments': "",
            'to': results_item_1_0[i],
            'cc': "",
            'bcc': "",
            'headers': "",
            'subject': "Testing"
        })
        phantom.act("send email", parameters=parameters, assets=['gmail'], name="send_email_1")

    ################################################################################
    ## Custom Code End
    ################################################################################

In this way I am looping through the values and grabbing display name and email and smashing them together to send an email. I do a couple of lightweight error handling too:

  1. If the email field is None, we break out of that iteration of the loop to prevent failing to send.
  2. If the Displayname is empty then we just start the email with "Hello," instead of "Hello None,"

It would be possible to do this with artifacts and the like, but I think a short code block is more straightforward. Feel free to reach out to me on the Phantom-Community Slack (sam_phantom) to discuss.

0 Karma
Reply
Solved! Jump to solution

robertbuscato
New Member
‎09-22-2019 11:00 PM

Hi Ghays,

It was able to send email to only one of the emails returned from LDAP (2 users returned which is the expected result). Also, I noticed that it sends to the second email returned by LDAP.
Any update you can recommend? I'm not really good at Python so I'm having a hard time on fixing the issue.

Thank you.
Robert

0 Karma
Reply
Solved! Jump to solution

sam_splunk
Splunk Employee
Splunk Employee
‎09-23-2019 08:46 AM

Would you be able to post your configuration w/ screenshots or names + params?

0 Karma
Reply
Solved! Jump to solution

robertbuscato
New Member
‎09-23-2019 05:03 PM

Below is the custom code I created.
Input Paramaters from LDAP:

Get_User_Attribute:action_result.data.*.mail
Get_User_Attribute:action_result.data.*.givenname

def Format_Email(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('Format_Email() called')
    results_data_1 = phantom.collect2(container=container, datapath=['Get_User_Attribute:action_result.data.*.mail', 'Get_User_Attribute:action_result.data.*.givenname'], action_results=results)
    results_item_1_0 = [item[0] for item in results_data_1]
    results_item_1_1 = [item[1] for item in results_data_1]

    ################################################################################
    ## Custom Code Start
    ################################################################################

    # build parameters list for 'Send_Email' call
    for i in range(len(results_item_1_0)):

        parameters = []
        email_body = """
          Hello{},

          This is a test!
            """
        if results_item_1_0[i] == None:
            continue                    # don't send on empyt emails

        if results_item_1_1[i] == None:
            email_body = email_body.format("")
        else:
            email_body = email_body.format(" " + results_item_1_1[i])

            parameters.append({
             'body': email_body,
             'from': "test@mail.com",
             'attachments': "",
             'to': results_item_1_0[i],
             'cc': "",
             'bcc': "",
             'headers': "",
             'subject': "Testing"
      })
    phantom.act("send email", parameters=parameters, assets=['smtp'], name="Send_Email")

    ################################################################################
    ## Custom Code End
    ################################################################################

    return
0 Karma
Reply
Solved! Jump to solution

sam_splunk
Splunk Employee
Splunk Employee
‎09-24-2019 02:28 PM

Confirm the inputs to your custom function are right?

Should be:

Input 1: Get_User_Attribute:action_result.data.*.emails.0
Input 2: Get_User_Attribute:action_result.data.*.displayname
0 Karma
Reply
Solved! Jump to solution

robertbuscato
New Member
‎09-25-2019 04:20 PM

@ghays_splunk - It actually works now. I didn't put the proper indention (newbie mistake) in for loop that's why it didn't work before. Thank you so much for helping me.

0 Karma
Reply
Solved! Jump to solution

sam_splunk
Splunk Employee
Splunk Employee
‎09-26-2019 07:25 AM

Awesome! Python is super sensitive to indentation - it's literally a language where the amount of whitespace controls how statements a grouped.. crazy stuff.

Anywho, glad it working for you!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...