Phantom.collect

0 views
Skip to first unread message

Shinyoung Gedris

unread,
Aug 3, 2024, 4:13:02 PM8/3/24
to placadlegua

The current workaround I have for this is to use a Custom Function to output the first artifact object of the container, but this only creates a snapshot of the artifact object at the time the function is called; If I update the artifact after calling the function, I'll need to call the function again to get the updated artifact object values.

The closest thing I've seen to this is the phantom.collect() API call, in which you can specify a datapath with a specific label (ie. phantom.collect(container, "artifact:uniqueLabel")), where you can specify a label and only the artifacts with the given label is returned, but this same syntax does not work in the Playbook Visual Editor.

I've not come across a solution other than that what WalshyB suggested either. I get why you'd want to do [0] (I've needed the same ability) but I've not see a guarantee anywhere of list order either.

For example, in my case I needed a reference to the first artifact in a container, so I made the first artifact always have the label 'main'. Then with a filter node, I do a condition for artifact:*.label == main. Then, in any downstream blocks, you can reference the output of the filter block (which in my case will be any artifact with the label main).

This does work, but is there a way to do this without having to add custom code to each node we want to apply this to?

The ideal solution would be being able to specify a datapath like this: artifact:[0].cef.username, where [0] indicates the first artifact within the container.

The Automation API allows security operations teams to develop detailed and precise automation strategies. Playbooks can serve many purposes, ranging from automating minimal investigative tasks that can speed up analysis to large-scale responses to a security breach. The following APIs are supported to leverage the capabilities of data access using playbooks.

Use the collect API to gather information from the associated artifacts of a container or action results that you get in the action callback or through the get_action_results() API. You can also use the collect API to obtain a listing of all IP addresses or all file hashes across all artifacts by specifying the appropriate data path into the artifact JSON. Or, extract all country ISO codes from the action results of action geolocate IP and pass the collect API into the results object. You can specify either one datapath as a string for the information you want to extract from action results, or you can specify more than one datapath in a list of datapath strings.

The collect2 API is an extension of the phantom.collect() API. It adds the filter_artifacts parameter, which is a list of artifacts whose values are returned. To learn more about the datapaths used in the collect2 API, see Understanding datapaths.

The collect_from_contains API functions similarly to collect, but instead of using datapaths for the values you want, you instead provide a contains value. This action returns a flat list of all the unique values that match at least one contains in the list. The call returns None if it fails.

Use the get_action_results API to retrieve the action results using the action JSON that was given in the action callback or the action run ID that was given in the action JSON. The API call get_summary() also returns one or more app run IDs that can be passed in as the optional parameter.

A single phantom.act() API call can be executed on multiple sets of parameters on more than one asset. Each instance of phantom.act() call is identified by a unique action run ID. One action execution on each asset results in a corresponding app execution, each of which is identified by a unique app run ID Parameters of an action execution on each app, on their respective assets, can be part of the same app run.

Use the get_filtered_data API to retrieve the filtered data that was saved by phantom.condition(). In the phantom.condition() API, if the name was specified, the filtered data is saved under the specified key and the same key can be used to retrieve the data. This API returns a tuple of filtered action results and filtered artifacts.

Use the get_format_data API to retrieve data saved through the phantom.format() API. If you specified the name parameter value in the phantom.format() API, the name can be used to retrieve the data. For sample usage, see format.

Use the get_raw_data API to retrieve container raw data as it exists at the source. This API allows users to access and automate on raw data in cases where there is information that was not parsed into artifacts.

The get_raw_data API pulls raw data from the container ["data"], and is often used to store raw emails and the ticketing tools raw data from on_poll. When pulling data, the API uses the ["data"] section of the container to do so.

Use the set_parent_handle API to set the handle from the synchronously called child playbook that is then accessed in the parent playbook through the handle parameter of the callback function. This API works only when the parent calls the child playbook in synchronous mode. See playbook for more information on calling playbooks in synchronous mode.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

I've created an alert in Splunk Enterprise and used the Splunk SOAR / Phantom plugin to call the action "Run a playbook in Splunk SOAR". So far so good. Alert fires, it gets forwarded over to SOAR. SOAR creates a new event and then takes the original event data and creates an artifact with the details. And then changes the tag value and creates another artifact.... and another.... and another.

I can't find any mention of these tags in any place, starting with the original data, to the Splunk enterprise alert config, etc. So I think it's. SOAR adding additional data, but again I'm not sure how or when or why it's doing that. If each tag is necessary is there a way I can force it to add all 8 tags to an array on a single artifact? Please advise.

@phanTom Resolved. Discovered it to be a setting in the advanced settings under the Phantom/SOAR App for Splunk config. By default it divides multi-value fields to be created as separate artifacts, but in my case was creating too much redundancy. Thanks for your time.

@joconnor what playbook(s) are you running?

The adding of tags is very likely performed by a playbook automation and yes you can add multiple tags but would need to reconfigure the automation to add multiple when it does it now.

Right now I'm only calling an empty custom playbook that I created which essentially does nothing at this point. I've modified the on_start() method to use the phantom.collect method to retrieve all artifacts in the container and then output the contents in the debug window. Then it ends.

This is also only happening to the event that uses the alert action "Run Playbook in Phantom". I have other cases of a data model being forwarded and in similar circumstances, for the same event will only create a single artifact.

c80f0f1006
Reply all
Reply to author
Forward
0 new messages