Run an action in

Analysts can use the /action command to quickly run one of the actions supports.

Actions run with /action are the same actions that are found in the Run Action dialog box, but the names of the actions are formatted with underscores ( _ ) instead of spaces. For example, the action geolocate ip becomes geolocate_ip.

The Run Action dialog box guides you through selecting the information an action requires. Using the command line interface requires you to provide the same information as arguments to the /action command.

When you type /action in the comment field of the activity sidebar, a tooltip-style dialog appears to guide you through adding arguments, or you can use the --help argument to get a message with help information as shown here:

/action geolocate_ip "MaxMind" --help

PhBot returns the following help message:

usage: /action geolocate_ip [app] <required arguments> [--asset asset...]
[--optional arguments]

Queries MaxMind for IP location info

required arguments:
ip IP to geolocate

The command-line interpreter validates arguments with the /action command. Incorrect arguments generate an error message to help you fix the arguments as shown in the following example:

/action whois_domain "WHOIS" splunk.com

The following error message is returned for the example:

/action whois_ip "WHOIS" a.b.not_an_ip

Use a list with the /action command

You can perform actions on lists of items by passing the list as an argument as shown in the following example:

/action geolocate_ip "MaxMind" ["1.1.1.1", "2.2.2.2"]

Lists must be presented in valid Python syntax, so individual items must be in quotation marks ( " ).

Passing the /action command multiple lists or datapaths, or a mix of lists and datapaths, results in a product. For example, [1, 2] [3, 4] results in four action runs: (1, 3), (1, 4), (2, 3), and (2, 4).