![]() Refers to a field in the action result object. Refers to a field in the artifact that was filtered from a previous decision block. ![]() For example, geolocate_ip_1:artifact implies an artifact_id whose field is used as an input parameter for a particular action. Each instance of context has a unique GUID and an optional parent_action. The context parameter attaches a reference to the artifact that can then later be retrieved from the results. In the phantom.act() API, the auto-generated code uses the hidden parameter context that helps identify which artifact is used to run the action. Refers to a field in the artifact that uses one or more Common Event Format (CEF) fields as an input parameter of an action. The following table lists some of the important datapaths used in, including their classification, description, and which APIs support them: The Playbook API uses a variety of datapaths. sourceHostName is the key for the source's host name.The second period (.) moves you down another layer into the data.cef is the cef key, denoting a CEF field.The first period (.) moves you down one layer.The example shown in the figure has the following specific structure: ĭatapaths with CEF fields are similar to other datapaths described in the previous section, but they include cef within the datapath and usually have at least two period separators. For details about CEF fields, see Create custom CEF fields in. If that data path is empty, returns a list of None values.Ĭommon Event Format (CEF) fields are a system of key-value pairs with data about artifacts. severity is the data for the artifact's security code.Īttempts to access the value at that location and return a list of values based on how many artifacts it searched.The period (.) moves you down one layer.The asterisk (*) denotes that you are iterating through all artifacts, rather than just one.artifact denotes the object where the data is located.The example shown in the attached figure has the following specific structure: If the data is not an array or a list, there is no asterisk. ![]() Periods (.) denote moving down a layer into the data structure.Everything after the last colon is the JSON-compatible structure for the data's location.The datapath might contain multiple names before the last colon, that indicate block names in your playbook. Examples include: artifact, custom_function, playbook_input, and an action block name like run_query_1. The name before the last colon describes the data's location.Datapaths with CEF fields are described in the next section, Datapaths and CEF fields. You specify this data using datapaths within most playbook blocks.įor details on how users pick datapaths in the Visual Playbook Editor, see Specify data in your playbook.ĭatapaths have the same general structure, shown in the figure below and described here. Playbooks work with data values from the playbook's container, its artifact CEF values, the results of an action or playbook that was previously run, or static data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |