All,

I'm wondering if there's a way to stop a function from firing in the pre-process script?

Here's my use case:
I'm entering results of a QRadar search into a data table. However, sometimes instead of a username existing in these results it's a SID. So whenever a new row is created in the data table I have a rule->workflow setup that parses out what should be the username value and then searches LDAP with it to resolve the username (if it is infact a SID, otherwise it's a blank result). 
However, what I would like is if the 'username' value is a SID (they usually start/contain S-1-5, I think...), then perform the lookup. If the 'username' value is not a SID then don't do anything, as it should be a username then.

Let me know what you think!

Thanks!

------------------------------
Liam Mahoney
------------------------------

Would it make sense to configure the rule on the datatable that triggers the workflow to have a condition that checks if the username is a SID?


------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Thu September 26, 2019 05:03 PM
From: Liam Mahoney
Subject: Kill function in pre-process script

All,

I'm wondering if there's a way to stop a function from firing in the pre-process script?

Here's my use case:
I'm entering results of a QRadar search into a data table. However, sometimes instead of a username existing in these results it's a SID. So whenever a new row is created in the data table I have a rule->workflow setup that parses out what should be the username value and then searches LDAP with it to resolve the username (if it is infact a SID, otherwise it's a blank result). 
However, what I would like is if the 'username' value is a SID (they usually start/contain S-1-5, I think...), then perform the lookup. If the 'username' value is not a SID then don't do anything, as it should be a username then.

Let me know what you think!

Thanks!

------------------------------
Liam Mahoney
------------------------------

The most straightforward thing would be to not call the function if one already has a SID. Something like the attached workflow should do the trick.

For the `Is SID?` condition you can use "contains" with your format, or can make a Script condition that might match it in a fancier way, e.g. with a regex - whatever you need there.



------------------------------
Marty James
------------------------------

Original Message:
Sent: Thu September 26, 2019 05:03 PM
From: Liam Mahoney
Subject: Kill function in pre-process script

All,

I'm wondering if there's a way to stop a function from firing in the pre-process script?

Here's my use case:
I'm entering results of a QRadar search into a data table. However, sometimes instead of a username existing in these results it's a SID. So whenever a new row is created in the data table I have a rule->workflow setup that parses out what should be the username value and then searches LDAP with it to resolve the username (if it is infact a SID, otherwise it's a blank result). 
However, what I would like is if the 'username' value is a SID (they usually start/contain S-1-5, I think...), then perform the lookup. If the 'username' value is not a SID then don't do anything, as it should be a username then.

Let me know what you think!

Thanks!

------------------------------
Liam Mahoney
------------------------------

Marty,

Thank you for this! Now that I see it it seems rather obvious! 

Thanks again!

------------------------------
Liam Mahoney
------------------------------

Original Message:
Sent: Fri September 27, 2019 09:37 AM
From: Marty James
Subject: Kill function in pre-process script

The most straightforward thing would be to not call the function if one already has a SID. Something like the attached workflow should do the trick.

For the `Is SID?` condition you can use "contains" with your format, or can make a Script condition that might match it in a fancier way, e.g. with a regex - whatever you need there.

The default path from the exclusive gateway simply goes to the end in this case, but of course you may have further steps in your workflow.

------------------------------
Marty James

Original Message:
Sent: Thu September 26, 2019 05:03 PM
From: Liam Mahoney
Subject: Kill function in pre-process script

All,

I'm wondering if there's a way to stop a function from firing in the pre-process script?

Here's my use case:
I'm entering results of a QRadar search into a data table. However, sometimes instead of a username existing in these results it's a SID. So whenever a new row is created in the data table I have a rule->workflow setup that parses out what should be the username value and then searches LDAP with it to resolve the username (if it is infact a SID, otherwise it's a blank result). 
However, what I would like is if the 'username' value is a SID (they usually start/contain S-1-5, I think...), then perform the lookup. If the 'username' value is not a SID then don't do anything, as it should be a username then.

Let me know what you think!

Thanks!

------------------------------
Liam Mahoney
------------------------------

Ben,

I didn't realize at the time I could do this! This looks even better, I think I'll end up going this route. 

Thanks for pointing it out!

------------------------------
Liam Mahoney
------------------------------

Original Message:
Sent: Fri September 27, 2019 09:37 AM
From: Marty James
Subject: Kill function in pre-process script

The most straightforward thing would be to not call the function if one already has a SID. Something like the attached workflow should do the trick.

For the `Is SID?` condition you can use "contains" with your format, or can make a Script condition that might match it in a fancier way, e.g. with a regex - whatever you need there.

The default path from the exclusive gateway simply goes to the end in this case, but of course you may have further steps in your workflow.

------------------------------
Marty James

Original Message:
Sent: Thu September 26, 2019 05:03 PM
From: Liam Mahoney
Subject: Kill function in pre-process script

All,

I'm wondering if there's a way to stop a function from firing in the pre-process script?

Here's my use case:
I'm entering results of a QRadar search into a data table. However, sometimes instead of a username existing in these results it's a SID. So whenever a new row is created in the data table I have a rule->workflow setup that parses out what should be the username value and then searches LDAP with it to resolve the username (if it is infact a SID, otherwise it's a blank result). 
However, what I would like is if the 'username' value is a SID (they usually start/contain S-1-5, I think...), then perform the lookup. If the 'username' value is not a SID then don't do anything, as it should be a username then.

Let me know what you think!

Thanks!

------------------------------
Liam Mahoney
------------------------------