Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

List of dicts from a "custom code block" into a "filter block"

glc_slash_it
Path Finder
‎03-06-2024 11:29 PM

Hello

I'm trying to pass a list of dicts from a "custom code block" into a "filter block", to run either ip_lookup, hash_lookup, or both sub-playbooks based on the indicator type.

For example:
ioc_list =

[
    {
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
    },
    {
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
       
    }
]
 
And then on filter I have:
if get_indicators:custom_function:ioc_list.*.type == ip
    run -> ip_lookup sub-playbook
if get_indicators:custom_function:ioc_list.*.type == hash
    run -> hash_lookup sub-playbook
 
 
And it looks like the filter does half of the job, because it can route to the proper sub-playbook(s), but instead of forwarding only the elements that match the conditions, it simply forwards all elements.
 
 

Expected output:

filtered-data on condition_1 route

[ {
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
}]

 

filtered-data on condition_2 route: 

[{
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
       
}]
 
Actual output on both condition routes:
[{
        "ioc": "2.2.2.2",
        "type": "ip"
    },
    {
        "ioc": "1.1.1.1",
        "type": "ip"
    },
    {
        "ioc": "ce5761c89434367598b34f32493b",
        "type": "hash"
}]
 
 
Even though this seems a specific question, is also part of a broad miss-understanding of how custom code blocks and filter interact with each other.
 
Hope some one can enlighten me in the correct path.
Thanks
 
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎03-07-2024 01:04 AM

@glc_slash_it custom functions don't pass out information in the same way an action would via action_results. You can't filter on CF outputs in the same way unfortunately. 

Either;

1. Do the filtering in the CF and pass out only what you need.
2. Use another Code Block to do the additional understanding and pass out a list.
3. Convert your function to an app action to take advantage of the action_results capability then you can split them with filters/decisions.

 

-- I Hope this helped, if so please mark as a solution for others asking the same question! Happy SOARing! --

View solution in original post

Reply
Solved! Jump to solution

glc_slash_it
Path Finder
‎03-07-2024 07:17 AM

Hi @phanTom  thanks for the suggestions, they help!

 

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎03-07-2024 01:04 AM

@glc_slash_it custom functions don't pass out information in the same way an action would via action_results. You can't filter on CF outputs in the same way unfortunately. 

Either;

1. Do the filtering in the CF and pass out only what you need.
2. Use another Code Block to do the additional understanding and pass out a list.
3. Convert your function to an app action to take advantage of the action_results capability then you can split them with filters/decisions.

 

-- I Hope this helped, if so please mark as a solution for others asking the same question! Happy SOARing! --

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...