Splunk SOAR: Let’s Get That Pin

By David Burns, Senior Soar Engineer

In a previous blog post, we introduced you to adding pins to the HUD. But what if you want to do something based off the information in the pin? Unless the pin was created within a custom code block or custom function, the pin id is blind to us. That means it’s hard to update or delete the pins natively.

We’re left to trying to stash that value somewhere in the container or pass it around. What if we want to get the value of the pin? As of version 6.2.0, there isn’t a native function to get that data. Let’s build our own custom function to accomplish this!

The meat of the function will be the container_pin endpoint.

While the documentation’s example uses POST, this endpoint has a full set of CRUD operations. That means using GET will retrieve the first 10 pins that it retrieves, with the data structure below.

ParameterTypeDescription  
Id Integer Id of the pin. Able to reference this pin directly by appending it to the endpoint

rest/container/42
pin_styleStringValues are:  
“grey” 
“blue” 
“red”  
create_time StringExample : 2023-05-15T22:39:23.464533Z
modified_timeString Example : 2023-05-15T22:39:23.464533Z
custom_fieldString The name of the custom field stored with in the container.
preset_metricStringIf the “pin_type” is set to “preset_metric” set the metric to use. Options are:

“remaining tasks”
“failed actions”
“failed playbooks”
“tasks exceeding sla”
“time to resolve”
orderIntegerPosition within the HUD
pin_typeStringIt will be one of the four following options. And which one is present will determine what other fields are present.

“data”
“manual card”
“custom field”
“preset metric”
ContainerIntegerWhich container the pin exists in.
authorIntegerThe user id of whoever created the pin
nameStringThe name of the pin when it was created
messageStringThe string to display above the value in data
dataStringThe value to display.
input_typeStringEither  
text
select
input_choicesJSON ListOnly if input_type is select, will this show the list of choices.
Example: [“one”, “two”, “three”]

If you were to just read the container_pin endpoint, you’d get swamped fast. It’s a better option to either move page to page or trying to parse the entire list with page_size=0. This means we need to use the endpoint filtering options. I highly recommend this “Cheat Sheet” to help filter down the options within the custom function.

First, you need to get all the pins that are part of a specific container.

Then, check each pin until you find the correctly named pin.

This is straight forward, yes. But there are ways to make this overall function a bit more robust, so you end up with something like this.

Now with this function, or something like it, you’ll have another way to pass information into playbooks. Imagine reading a pin that dictates what type of email to send when a playbook is kicked off. Or if you want to selectively pass IPs into a deeper investigation. The options are endless!