Making repeated API lookup in playbook

View Only

Expand all | Collapse all

1. Making repeated API lookup in playbook

0 Like
Luqman Nur
Posted Wed December 21, 2022 10:25 PM
Edited by Luqman Nur Thu December 22, 2022 01:02 AM

Reply
Hi IBM community,

I have the current playbook that have lookup functions that check .eml content and pass them to several API lookup tool that will pass back the result, and using the utility functions will generate .txt file.

Currently my implementation allow single lookup which is not a problem when dealing with something like email header but I want to pass the result from IOC parser that have multiple nested list of IOCs objects to the lookup tool. Is there any ways to do this in the current playbook implementation?

My current playbook is of the following:

Where I dont connect the IOC to the other lookup tool yet because I have yet to found how to send the IOC result to the lookup functions

Below are the snippet to the part of the IOC parser result:

------------------------------
Luqman Nur
Techlab
------------------------------
2. RE: Making repeated API lookup in playbook

0 Like
Mark Scherfling
Posted Thu December 22, 2022 01:19 PM

Reply
Hi Luqman,

I believe what you need is a way to loop over the results returned (malaysiaairlines.com, tlsoc1.zohodesk.com, SI2PR04MB4763.apcprd04.prod.outlook.com) and send each to a follow-on function for processing. Unfortunately, we currently don't support looping within a playbook.

An alternative approach is to create new artifacts for each value (in a script: incident.addArtifact('URL', malaysiaairlines.com)) and then have another playbook automatically execute with your lookup action. The good news, this approach allows you to return the lookup results as Hits. See this blog post for more information on that capability: https://community.ibm.com/community/user/security/blogs/sam-wang/2021/12/06/decorate-artifacts-using-soar-functions-in-v43?CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e

Hope this helps.
Regards,
Mark

------------------------------
Mark Scherfling
------------------------------

Original Message
3. RE: Making repeated API lookup in playbook

0 Like
Luqman Nur
Posted Fri December 23, 2022 03:27 AM

Reply
Hi Mark,

thanks for the link suggestion and the explanation given. From what I understand, the guide shows that every time an artifact is created, the playbook will run thus possibly sending the artifact (i.e. the URL) to the lookup function. So instead of what I am doing currently, which is sending the function output to a lookup function within the same playbook

I should create another playbook that will check the IOC output, which should be in the artifacts tab (when I applied the the script incident.addArtifact(" The IOC parser result "). Is this correct.

Best Regards,

Luqman

------------------------------
Luqman Nur
Techlab
------------------------------

Original Message
4. RE: Making repeated API lookup in playbook

0 Like
Mark Scherfling
Posted Fri December 23, 2022 07:12 AM

Reply
Hi Lugman,

You are correct. Use an automatic playbook triggered when the artifact is created from your first playbook.

Good luck.
Mark

------------------------------
Mark Scherfling
------------------------------

Original Message
5. RE: Making repeated API lookup in playbook

0 Like
Luqman Nur
Posted Thu December 29, 2022 01:38 AM

Reply
Hi Mark,

Thanks for the help on my earlier confusion. Following your guide on how to do the repetitive API lookup, I have created two separate playbook where one is doing the parser (IOC parser, Email Parser) and the other playbook is doing the lookup.

The first playbook responsible for parsing content from attachment

The second playbook for querying result on API lookup

Currently the problem is that I am unable to filter out the type of artifact generated by the IOC parser thus adding a lot of garbage into the second playbook input ( i.e. incorrectly regex item that is labelled as "file name"), Is there any way for me to access on how resilient filter the artifact type.
My goal is essentially to reduce the amount of call to the second playbook by only passing relevant artifact type and eliminating the other unnecessary ones.

I have found an old thread which uses ( "searchex_endpoint") at this link, in which I can no longer find the package in app exchange. Other than that thread, I did not find any clue on how to access the filter for the artifact type.

Also currently I have found some issue on creating new discussion post whereby I am not able to fill the body part of the post hence why I am replying to this thread instead.

Regards,

Luqman

------------------------------
Luqman Nur
Techlab
------------------------------

Original Message
6. RE: Making repeated API lookup in playbook

0 Like
Mark Scherfling
Posted Thu December 29, 2022 09:48 AM

Reply
Hi Luqman,

Are you using the condition logic associated with a playbook. Here's a snapshot to limit the playbook to when the artifact is created and one of a number of artifact types. Maybe something like this will work for you?

------------------------------
Mark Scherfling
------------------------------

Original Message
7. RE: Making repeated API lookup in playbook

0 Like
Luqman Nur
Posted Fri December 30, 2022 04:16 AM

Reply
Hi Mark,

Thanks for the suggestion. I have followed your suggestion, and set the activation condition as below:

After implementing this condition, I have still received processed artifact that is under the "File Name" type as shown below:

------------------------------
Luqman Nur
Techlab
------------------------------

Original Message