IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
I am new to IBM SOAR and I am trying to run a demo using the Virus Total predefined playbook.
I need to add a condition point that looks into the vt_scan_results and returns True if 'malicious' is greater than 0 and returns False if ('malicious': 0)
If the result is True I will write the artifact value to a reference set on Qradar else go to the endpoint
The predefined function and scripts are as below:
It looks like you're really close! I can't tell exactly what would work for you, but I can give you general guidance that hopefully will get you to the proper place.
You'll switch the condition type of your "Condition Point" to be a "Script builder" rather than "Condition builder". From there, the goal is to set the value of a variable results to True in one case, and False in all other cases.
I don't know what part of the results will contain the "malicious" information, but something to the effect of:
There could be more to it obviously.. The key is just to eventually set results
Just would like to add: if you need to pass data between nodes, for example, if you need to pass the IP Address or the result processed by script node to "Qradar Add Reference Set Item" function, you can use playbook.addProperty(<propertyName>, <propertyValue>) in script node, and then use playbook.properties.<propertyName> to get the value as function input.
See more details here: https://www.ibm.com/docs/en/sqsp/50?topic=scripts-playbook-operations