Solved: How to force blocks to only send one output to a p...

Daniel_Acevedo · 01-23-2025 08:59 AM

Say I have a block with 4 possible paths, but only 1 path will ever run. The way secops blocks are set up I have an output for each path, so output_1 - output_4. When I try pulling the json result of this block in a parent playbook, I'm able to select any of these 4 possible json outputs as input. This requires me to add an additional step to go through all 4 and see which one isn't empty, making my playbook much larger than it needs to be. Is there a way to make a block only return the output from the path that was run? In other words, say my block as those 4 possible outputs, is there a way to "collate" my results into one output so the playbook can just pull from this same output every time? Thanks!

SoarAndy

In your second image, those 3 refer to the specific Actions in the playbook, all of which are accessible by design.

If you want the output (regardless of the path it took to get there) look for the Block ReturnValue

View solution in original post

mccrilb

Maybe force the playbook to only have one output? You could take each unused output and use a string function that say, converts the EXAMPLE text to lower case. then drag that dummy function to tie to the output that you want.

I use the scope context function to create either alert or case variables to pass info from playbook to playbook.

SoarAndy

I can't reproduce

I have a playbook, I dragged in a Block that has 4 outputs

In the playbook, when I reference the output, I only have 1 output

Can you show images please

Daniel_Acevedo

The first image shown here is from the block showing the 3 paths that can be taken at the end once my queries have run. The context is that I'm running a tanium query for md5, sha1, and sha256 hashes. Only one of these queries will succeed, and the json result of the other 2 should be null/blank. At the end I check which one is not empty and return that as the output for that path.

The second image is my insert placeholder tab in a parent playbook for an action that comes right after the block from the first image, and as you can see it's still allowing me to select any of the 3 options as input. I would need to do the same check I did in my block in the parent playbook which would be redundant. I'm wondering if there's a way within the block to assign the json output I deem not empty as the sole output for the block. This way, the playbook always just grabs this one output and never has to check all 3.

SoarAndy

In your second image, those 3 refer to the specific Actions in the playbook, all of which are accessible by design.

If you want the output (regardless of the path it took to get there) look for the Block ReturnValue

shubhamagar

For exp: If this ReturnValue is outputs a dictionary, how to access certain values there ? how to parse this output and use it in next action blaocks ?

SoarAndy

Correct, Block return output (and also the value of "get Context") will return in a string form.
Use the Action 'Buffer' to convert the Block ReturnValue back to a JSON object, then access [Buffer.JsonResult | "key"] as normal etc

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

How to force blocks to only send one output to a parent playbook