Use a datapath in Splunk SOAR (On-premises)

You can use a datapath as an argument with a slash command. This makes slash commands flexible and powerful. Use the /inspect command to get the datapath to use with other slash commands.

Datapaths

A datapath is a series of names, keywords, attributes, and wildcards that evaluates to a list of values. These values can be attributes of artifacts or action results.

A datapath is described using this format:

<type>:<path.to.value_name>

Example of a datapath for an artifact attribute: 

artifact:*.ip

Artifacts are indexed by their common event format (CEF) data so only CEF data is available to use in datapaths. You cannot access other fields such as label or description.

Example of a datapath for action results: 

action_result:data.*.longitude

For more information on datapaths, see collect in the Python Playbook API Reference for Splunk SOAR (On-premises).

Use the /inspect command

Use the /inspect command to examine artifacts and to look for datapaths you want to use with another slash command.

See the following example:

Examine an artifact to see if it has IP addresses in its CEF data. 

/inspect artifact:*

The above example returns the following: 

{u'ip': u'2.2.2.2'}
{u'ip': u'1.1.1.1'}

Because there is IP information in the artifact, you can access that information in another command with a datapath. 

/action whois_ip "WHOIS" artifact:*.ips.*

See the following example:

Examine an action_run. 

/inspect action_run:1
Returns:

JSON formatted action run information. 

{
    "comment": "",
    "node_guid": "d7c64d0f-fd0b-4d0b-8c68-34704ee91247",
    "playbook_run": null,
    "exec_order": null,
    "_pretty_owner": "admin",
    "creator": 1,
    "_pretty_undo": null,
    "assign_time": null,
    "create_time": "2019-12-12T00:32:20.600117Z",
    "playbook": null,
    "_pretty_playbook": "",
    "owner": 1,
    "message": "1 action succeeded",
    "action": "geolocate ip",
    "close_time": "2019-12-12T00:32:21.059521Z",
    "exec_delay_secs": 0,
    "container": 78,
    "_pretty_update_time": "17 minutes ago",
    "_pretty_has_app_runs": true,
    "id": 2,
    "targets": [
        {
            "app_id": 118,
            "parameters": [
                {
                    "ip": "115.249.247.26"
                }
            ],
            "assets": [
                2
            ]
        }
    ],
    "due_time": "2019-12-11T21:59:05.213705Z",
    "version": 1,
    "type": "investigate",
    "status": "success",
    "update_time": "2019-12-12T00:32:21.059521Z",
    "handle": null,
    "_pretty_close_time": "17 minutes ago",
    "_pretty_container": "ASN Transaction",
    "_pretty_creator": "admin",
    "ip_address": "10.26.96.21",
    "_pretty_due_time": "Yesterday at 09:59 PM",
    "name": "user initiated geolocate ip action",
    "_pretty_redo": true,
    "_pretty_create_time": "17 minutes ago",
    "cancelled": null,
    "cb_fn": null
}

See the following example:

Get a list of all app_runs. 

/inspect app_run:*.id

Returns: 

4

7

6

5

8

You can use these app_run IDs with other commands or REST API calls.