add max_results field for find artifacts action

splunk-soar-connectors · Sep 23, 2024 · 9f0a460 · 9f0a460
1 parent 0904c47
commit 9f0a460
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/phantom.json b/phantom.json
@@ -606,6 +606,12 @@
                     "data_type": "string",
                     "order": 4,
                     "default": "current"
+                },
+                "max_results": {
+                    "description": "Maximum number of artifacts to return",
+                    "data_type": "numeric",
+                    "order": 5,
+                    "default": 10
                 }
             },
             "render": {
@@ -742,6 +748,13 @@
                     "example_values": [
                         1
                     ]
+                },
+                {
+                    "data_path": "action_result.parameter.max_results",
+                    "data_type": "numeric",
+                    "example_values": [
+                        2
+                    ]
                 }
             ],
             "versions": "EQ(*)"

diff --git a/phantom_connector.py b/phantom_connector.py
@@ -535,6 +535,7 @@ def _find_artifacts(self, param):
         limit_search = param.get("limit_search", False)
         container_ids = param.get("container_ids", "current")
         values = param.get('values', '')
+        max_results = param.get("max_results", ARTIFACT_MAX_RESULTS)
         if limit_search:
             container_ids = list(
                 set([
@@ -562,12 +563,11 @@ def _find_artifacts(self, param):
         url_enc_values = quote(values, safe='')
 
         if cef_key and exact_match:
-            endpoint = '/rest/artifact?_filter_cef__{}={}&page_size=0&pretty'.format(quote(cef_key, safe=''), repr(url_enc_values))
+            endpoint = f"/rest/artifact?_filter_cef__{quote(cef_key, safe='')}={repr(url_enc_values)}&page_size={max_results}&pretty"
         elif cef_key:
-            endpoint = '/rest/artifact?_filter_cef__{}__{}={}&page_size=0&pretty'.format(quote(cef_key, safe=''),
-                                                                                        "icontains", repr(url_enc_values))
+            endpoint = f"/rest/artifact?_filter_cef__{quote(cef_key, safe='')}__icontains={repr(url_enc_values)}&page_size={max_results}&pretty"
         else:
-            endpoint = '/rest/artifact?_filter_cef__{}={}&page_size=0&pretty'.format("icontains", repr(url_enc_values))
+            endpoint = f"/rest/artifact?_filter_cef__icontains={repr(url_enc_values)}&page_size={max_results}&pretty"
 
         if limit_search:
             endpoint += '&_filter_container__in={}'.format(container_ids)

diff --git a/phantom_consts.py b/phantom_consts.py
@@ -44,3 +44,5 @@
 PHANTOM_ERR_SPECIFY_IP_HOSTNAME = ("Accessing 127.0.0.1 is not allowed."
 " Please specify the actual IP or hostname used by the Phantom instance in the Asset config")
 PHANTOM_ERR_GET_VAULT_INFO = "Failed to get the vault info: {}"
+
+ARTIFACT_MAX_RESULTS = 10