I have a use case that I am using which leverages fn_qradar_integration that dumps data into a data table from an artifact which seems I could also store in an output to use downstream. I can output the data to a data table fine but I'd like to see if someone is familiar with how to take the output into a downstream function (fn_utilities | shell command) input parameter which then updates my data table rows with results.
Ideal Workflow:1) Function (fn_qradar_integration) collects data from a QRadar query and stores values to output and creates a data table.
Example of what is returned:Result: {'events': [{u'Cyber_Detection_ID': '8179f649-c73a-4ee0-8710-5c2b856cf86a'}, {u'Cyber_Detection_ID': 'd4786850-7db1-44ac-80a2-8ed6abde8b11'}, {u'Cyber_Detection_ID': 'a2329d38-e500-4fbd-85da-a6ef71013da0'}, {u'Cyber_Detection_ID': '99bf9791-96d6-4488-965e-68add4ad35d9'}, {u'Cyber_Detection_ID': '0a8c0d1d-9028-4032-8bfb-bb28b87fb232'}, {u'Cyber_Detection_ID': '55429e87-4750-43b7-9000-43e727414996'}]}2) Downstream function (fn_utilities | Shell Command) uses an output from the first function and passes as input(s) for shell_param1.
3) Post-process for my 2nd function referenced above would then take the results and update the data table rows for unpopulated fields that have the Cyber_Detection_ID (data returned from first function).
I'm open to other ideas on doing this which might be more efficient but I'm looking to avoid adding as artifacts so if it adds as notes, that's fine. I'm just not sure how to do it. Seems that the Data Table Helper function may help but thought I'd ask here first. Thanks!
------------------------------
Mr Coco
------------------------------