Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

List of dicts from a "custom code block" into a "filter block"

glc_slash_it
Path Finder
‎03-06-2024 11:29 PM

Hello

I'm trying to pass a list of dicts from a "custom code block" into a "filter block", to run either ip_lookup, hash_lookup, or both sub-playbooks based on the indicator type.

For example:
ioc_list =

[
    {
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
    },
    {
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
       
    }
]
 
And then on filter I have:
if get_indicators:custom_function:ioc_list.*.type == ip
    run -> ip_lookup sub-playbook
if get_indicators:custom_function:ioc_list.*.type == hash
    run -> hash_lookup sub-playbook
 
 
And it looks like the filter does half of the job, because it can route to the proper sub-playbook(s), but instead of forwarding only the elements that match the conditions, it simply forwards all elements.
 
 

Expected output:

filtered-data on condition_1 route

[ {
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
}]

 

filtered-data on condition_2 route: 

[{
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
       
}]
 
Actual output on both condition routes:
[{
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
    },
    {
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
}]
 
 
Even though this seems a specific question, is also part of a broad miss-understanding of how custom code blocks and filter interact with each other.
 
Hope some one can enlighten me in the correct path.
Thanks
 
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎03-07-2024 01:04 AM

@glc_slash_it custom functions don't pass out information in the same way an action would via action_results. You can't filter on CF outputs in the same way unfortunately. 

Either;

1. Do the filtering in the CF and pass out only what you need.
2. Use another Code Block to do the additional understanding and pass out a list.
3. Convert your function to an app action to take advantage of the action_results capability then you can split them with filters/decisions.

 

-- I Hope this helped, if so please mark as a solution for others asking the same question! Happy SOARing! --

View solution in original post

Reply
Solved! Jump to solution

glc_slash_it
Path Finder
‎03-07-2024 07:17 AM

Hi @phanTom  thanks for the suggestions, they help!

 

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎03-07-2024 01:04 AM

@glc_slash_it custom functions don't pass out information in the same way an action would via action_results. You can't filter on CF outputs in the same way unfortunately. 

Either;

1. Do the filtering in the CF and pass out only what you need.
2. Use another Code Block to do the additional understanding and pass out a list.
3. Convert your function to an app action to take advantage of the action_results capability then you can split them with filters/decisions.

 

-- I Hope this helped, if so please mark as a solution for others asking the same question! Happy SOARing! --

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...