SPLK-2003 Formatted Output and Data Access

Formatted Output and Data Access Detailed Explanation

In Splunk SOAR, automation isn't just about doing things — it's also about communicating clearly what was done, what was found, and what it means. That’s where formatted output and data access come into play.

1. Formatted Output

Playbooks often generate results (like IP reputation scores, usernames, domain info, etc.). These results can be turned into alerts, messages, or summaries using Format Blocks.

What is a Format Block?

A Format Block is a special step in a playbook that lets you build clean, readable messages using:

• Text templates

• Variables from previous blocks

• Data pulled from artifacts, actions, or inputs

Instead of sending messy JSON or raw data, you build messages that are easy to read and act on.

Message Templates

You can combine static text (hardcoded) and dynamic variables (pulled from the event or playbook) into a message.

Example Template:

"Malicious IP detected: {artifact:*.cef.destinationAddress}"

• {artifact:*.cef.destinationAddress} is a variable.

• It gets replaced with the actual IP address extracted from the event.

Other variables might include:

• {container.name} – the name of the event or case.

• {action_result.data} – result from a previous action.

Templates help deliver actionable intelligence in plain language.

Multiline Formatting

You can write messages that span multiple lines — useful for:

• Case summaries

• Email alerts

• Slack notifications

• Audit logs

Example:

Incident Summary:
- Event: {container.name}
- Severity: {container.severity}
- Affected IP: {artifact:*.cef.destinationAddress}
- Analyst: {user.name}

The result is a clean, structured message instead of a wall of JSON.

Output Channels

Formatted messages can be sent to many places, including:

• Email: Notify SOC team or manager.

• Slack / Microsoft Teams: Send updates to a specific channel.

• Ticketing Systems: Add information to Jira, ServiceNow, etc.

• Case Timeline Logs: Record a summary of playbook activity.

• Custom Dashboards: Show results in visual dashboards for SOC leads.

Format Blocks help your automation communicate effectively with both humans and systems.

2. Accessing Data

To format messages or make decisions, playbooks need to access data — both from incoming events and from previous steps.

Phantom Functions

Splunk SOAR provides special Python functions for accessing and manipulating data in playbooks (especially in code blocks).

1. phantom.collect2()

• Collects specific data from:

  • Artifacts

  • Action results

  • Custom fields

Example:

phantom.collect2(container=container, datapath=["artifact:*.cef.sourceAddress"])

• This collects all source IPs from the container’s artifacts.

2. phantom.debug()

• Used to print variables and data into the playbook logs for troubleshooting.

Example:

phantom.debug("IP Reputation: {}".format(reputation_score))

This is especially helpful when testing or debugging new playbooks.

Variables and JSON Access

Much of the data in SOAR is structured like JSON, so you access it using keys or dot notation.

Examples:

results[0]['summary']['status']

• Gets the status from the summary of the first result.

action_result.get("data", [{}])[0].get("risk_score")

• Gets the risk_score from a previous action result.

You can use these variables in code blocks, decision logic, or format templates.

3. Use Cases

Let’s explore how formatted output and data access are used in real-world playbooks:

a. Display Formatted Results to Users

• When a prompt is shown to an analyst, include a summary of findings.

• Makes it easier for them to make informed decisions.

b. Log Summaries to Case Timeline

• After a playbook runs, use a Format Block to write a summary message into the case timeline:

  • “Blocked IP 192.168.1.50 on Palo Alto”

  • “User account jsmith was disabled after suspicious activity”

c. Create Incident Reports for External Systems

• Format a message and send it to:

  • Jira (for ticket creation)

  • ServiceNow (for change tracking)

  • Email (for compliance or management reports)

This ensures your incident response is documented and shareable.

Summary

Feature	Purpose
Format Block	Builds readable output from raw data
Message Templates	Combines text and variables into clear messages
Multiline Formatting	Creates structured summaries or notifications
Output Channels	Sends messages to email, Slack, tickets, dashboards, or logs
phantom.collect2()	Collects data from artifacts and action results
phantom.debug()	Outputs debug info to logs for troubleshooting
JSON Access	Allows deep inspection of results and decision making in playbooks

Formatted Output and Data Access (Additional Content)

1. Variable Scope and Accessibility

Understanding where and how variables can be used is crucial for successful playbook design and troubleshooting.

Key Clarification:

Variables in Splunk SOAR playbooks have different scopes depending on how and where they were created:

• Local Variables in Code Blocks:
  These are only usable within the same block where they are defined.
  Example:

  ip_list = ["1.2.3.4"]  # Only available in this code block
  

• Action Results:
  These are accessible in later blocks only if you use datapaths or collect them explicitly.

• Global Context via phantom.save_run_data() and phantom.collect2():
  Variables stored using save_run_data() can be accessed in Format Blocks and other code blocks using phantom.collect2().

Sample Usage:

phantom.save_run_data(key="filtered_ips", value=filtered_ips)

Then in Format Block:

"IPs in scope: {run_data.filtered_ips}"

Exam Tip: "Which method allows passing a filtered variable list between blocks?"
Correct answer: phantom.save_run_data() + run_data.variable_name in Format Block.

2. Content Types Supported by Format Blocks

Format Blocks in SOAR are powerful but not all content types are equally supported, and this is a common point in technical exam questions.

Content Type	Supported	Notes
Plain Text	Yes	Default output method
HTML	Yes	Used especially for email formatting or dashboards
Markdown	Partially	Some outputs (e.g., Slack, Teams) render markdown formatting
Raw JSON	No	JSON must be preprocessed in a Code Block and rendered as string

Clarifying Sentence: "Format Blocks support plain text, HTML, and limited Markdown rendering; they do not directly output structured JSON unless first converted to string format via code."

Example for HTML Formatting:

"<b>Malicious IP Detected:</b> {artifact:*.cef.destinationAddress}"

Example for Markdown (limited):

**Source IP:** {artifact:*.cef.sourceAddress}

3. Combining Code Blocks and Format Blocks

In advanced use cases, raw data must be filtered, cleaned, or calculated in a Code Block before it is used in a Format Block.

Use Case:

1. In a Code Block, filter only internal IPs:

internal_ips = [ip for ip in all_ips if ip.startswith("192.")]
phantom.save_run_data(key="internal_ips", value=internal_ips)

2. In a Format Block, use the result:

"Internal IPs detected: {run_data.internal_ips}"

This technique allows:

• More control over output content

• Reuse of complex logic without cluttering the Format Block

• Cleaner separation of logic (processing vs. presentation)

Exam Tip: "Which sequence allows dynamic message building from filtered IPs?"
Correct answer: Code Block to filter > phantom.save_run_data() > Format Block using {run_data.key}

Summary

Topic	Key Point
Variable Scope	Only explicitly saved variables (run_data) persist across blocks
Format Block Types	Text, HTML, Markdown supported; JSON needs preprocessing
Format + Code Combo	Use phantom.save_run_data() to pass logic output into Format Blocks