![]() ![]() If you specify a single datapath as a string, Splunk SOAR returns the data corresponding to one column. If you specify a list of datapaths for extracting data from action results, the results are formatted as a table, where each column represents the respective datapath. If the datapath was specified as a string the result is a list, unlike the previous output.ĭata = llect(results, 'action_') Extract three items from action results of the file reputation action using the Reversing Labs app:ĭef file_reputation_cb(action, success, container, results, handle):.llect(results, "action_result.data.*.positives") Extract the number of positive detections from the results of the file reputation action using the VirusTotal app:.Extract longitude from the results of the geolocate IP action:.The following are example datapaths for action results: This call finds file hashes across all the artifacts that have "event" as a substring. llect(container, "artifact:*event*.cef.fileHash") The substring only applies to artifact type. You can specify a substring to be searched across matching artifact types.Collect all file hashes of a specific type (events) of a container:. ![]() llect(container, "artifact:*.cef.fileHash") Collect all file hashes from all the artifacts of a container:.The following are example datapaths for a container: The path of the element in the JSON schema to access or retrieve it from associated artifacts of a container or the action results object. It can be a results object that you get in the action callback or through the get_action_results() API. The container that is available to the user in on_start(), on_finish(), or any action callback. ![]() llect(container, #this can be a container or an action results object The collect API is supported from within a custom function. ![]() Such large numbers of artifacts in a single event can cause performance and usability issues. Avoid use cases that rely on more than 2000 artifacts for a single event. The collect API has a suggested limit value of 2000 artifacts, which is a very large number of artifacts for a single event. You can specify either one datapath as a string for the information you want to extract from action results, or you can specify more than one datapath in a list of datapath strings. Or, extract all country ISO codes from the action results of action geolocate IP and pass the collect API into the results object. You can also use the collect API to obtain a listing of all IP addresses or all file hashes across all artifacts by specifying the appropriate data path into the artifact JSON. Use the collect API to gather information from the associated artifacts of a container or action results that you get in the action callback or through the get_action_results() API. For example, Limit=None does not set the value to be unlimited, it sets the value to the default of 2000. In code examples, the term None refers to a Python Noneor nulltype and means the same as unspecified value, value not set, or not specifying the parameter at all. The following APIs are supported to leverage the capabilities of data access using playbooks. Playbooks can serve many purposes, ranging from automating minimal investigative tasks that can speed up analysis to large-scale responses to a security breach. The Automation API allows security operations teams to develop detailed and precise automation strategies. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |