Hi Mark,
Thanks for the help on my earlier confusion. Following your guide on how to do the repetitive API lookup, I have created two separate playbook where one is doing the parser (IOC parser, Email Parser) and the other playbook is doing the lookup.
The first playbook responsible for parsing content from attachment
The second playbook for querying result on API lookup
Currently the problem is that I am unable to filter out the type of artifact generated by the IOC parser thus adding a lot of garbage into the second playbook input ( i.e. incorrectly regex item that is labelled as "file name"), Is there any way for me to access on how resilient filter the artifact type.
My goal is essentially to
reduce the amount of call to the second playbook by only passing relevant artifact type and eliminating the other unnecessary ones.
I have found an old thread which uses ( "searchex_endpoint") at this
link, in which I can no longer find the package in app exchange. Other than that thread, I did not find any clue on how to access the filter for the artifact type.
Also currently I have found some issue on creating new discussion post whereby I am not able to fill the body part of the post hence why I am replying to this thread instead.
Regards,
Luqman
------------------------------
Luqman Nur
Techlab
------------------------------
Original Message:
Sent: Fri December 23, 2022 07:11 AM
From: Mark Scherfling
Subject: Making repeated API lookup in playbook
Hi Lugman,
You are correct. Use an automatic playbook triggered when the artifact is created from your first playbook.
Good luck.
Mark
------------------------------
Mark Scherfling
Original Message:
Sent: Fri December 23, 2022 03:27 AM
From: Luqman Nur
Subject: Making repeated API lookup in playbook
Hi Mark,
thanks for the link suggestion and the explanation given. From what I understand, the guide shows that every time an artifact is created, the playbook will run thus possibly sending the artifact (i.e. the URL) to the lookup function. So instead of what I am doing currently, which is sending the function output to a lookup function within the same playbook
I should create another playbook that will check the IOC output, which should be in the artifacts tab (when I applied the the script incident.addArtifact(" The IOC parser result "). Is this correct.
Best Regards,
Luqman
------------------------------
Luqman Nur
Techlab
Original Message:
Sent: Thu December 22, 2022 01:19 PM
From: Mark Scherfling
Subject: Making repeated API lookup in playbook
Hi Luqman,
I believe what you need is a way to loop over the results returned (malaysiaairlines.com, tlsoc1.zohodesk.com, SI2PR04MB4763.apcprd04.prod.outlook.com) and send each to a follow-on function for processing. Unfortunately, we currently don't support looping within a playbook.
An alternative approach is to create new artifacts for each value (in a script: incident.addArtifact('URL', malaysiaairlines.com)) and then have another playbook automatically execute with your lookup action. The good news, this approach allows you to return the lookup results as Hits. See this blog post for more information on that capability: https://community.ibm.com/community/user/security/blogs/sam-wang/2021/12/06/decorate-artifacts-using-soar-functions-in-v43?CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e
Hope this helps.
Regards,
Mark
------------------------------
Mark Scherfling
Original Message:
Sent: Wed December 21, 2022 10:24 PM
From: Luqman Nur
Subject: Making repeated API lookup in playbook
Hi IBM community,
I have the current playbook that have lookup functions that check .eml content and pass them to several API lookup tool that will pass back the result, and using the utility functions will generate .txt file.
Currently my implementation allow single lookup which is not a problem when dealing with something like email header but I want to pass the result from IOC parser that have multiple nested list of IOCs objects to the lookup tool. Is there any ways to do this in the current playbook implementation?
My current playbook is of the following:
Where I dont connect the IOC to the other lookup tool yet because I have yet to found how to send the IOC result to the lookup functions
Below are the snippet to the part of the IOC parser result:
------------------------------
Luqman Nur
Techlab
------------------------------