Logo
Sign in
  1. Logpoint Service Desk
  2. Knowledge Center
  3. SOAR

Passing json response swiftly over sub-playbook in SOAR

Avatar Ranjan Shrestha
April 28, 2025 12:12
Follow

Iterating over json response to process and validate the date is crucial and backbone of automation in SOAR. The json response is filtered via Filter Block and iterated via For-Each block. Efficient use of For-Each and Filter block helps to minimize the number of execution of sub-playbooks and hence optimizes the workload on docker containers.

In this article, we will filter the selected pairs from json response and iterate over the result to process on sub-playbook. We will be using get-incident data API action to get the response and filter ip, domain. The json with ip and domain key-pairs are passed via For-Each block to sub-playbook, which will find out the malicious score scanned from Virus Total.

Before proceeding to any explanation, below images provide the overview of playbook being used in this article.

Main Playbook

filter_main_playbook.png

Sub Playbook

filter_sub_playbook.png

Trigger Type:

The trigger type is LogPoint SIEM Incidents which signify that this playbook will be triggered whenever the configured alert in automation rule is triggered.

trigger_a.png    .trigger_b.png

We are fetching the default start_time, end_time, query, rows_count and additionally incident_id and id from the metatadata of triggered incident. 

main_automation_alert.png

The configured alert in automation is rsralert so it means this playbook will be run on every triggering of rsralert. More about triggering of playbook from incident can be found here.

Fetching Incident Data:

After triggering of alert, the data from incidents is fetched via LogPoint_Incident_Data_new API Action. This action is based on the incident API endpoint get_data_from_incident. This block will fetch the logs(in json format) responsible for triggering the alert rsralert. More about adding new vendor and action for its product can be found here. 

get_incident_data_api.png

Filter block to filter selected pairs from API block

The response from the former API block contains unnecessary information.

incident_api_response.png

So, we are filtering only the required values using the JsonPath Filter Expression. The used expression will extract only ip_address and url_name values from the output of api action and pass to subsequent block. 

$.*['ip_address','url_name']

The JsonPath Filter Expression can be tested using online test sites like https://jsonpath.com/ 

filter_block.png

Iterating over filtered rows

There are multiple rows in the filtered response so they are iterated using the For-Each block.

for_each.png

Sub-playbook

A sub-playbook is used in order to process each row on a separate playbook. On each iteration, the row's value is passed to sub-playbook filter sub playbook and processing of those value take place on it. We are passing the output of filtered response through For-Each block as an input to sub-playbook.

sub-playook_call.png

But before using the sub-playbook, it should have been already created. Let's see the components of filter sub playbook in detail.

Trigger Type

Since the sub-playbook will be called by another playbook, so trigger type is playbook. Additionally it will expect the filtered json response in key ip_url_dict.

sub-playbook_trigger.png

Filters

The sub-playbook has the json response with key ip_address and url_name. We need to segregate those values for further processing so 2 filters are used for each case.

sub-playbook_filter_ip.pngsub-playbook_filter_url.png

Scan for maliciousness via VTScan

We are using virus total for scanning the ip and url(domain) for finding out the maliciousness score. In SOAR, the vendor Virus Total is already integrated and we are using the v3 product. The product instance should be initialized first with name, url and api key.

vt_instance.png

The api reference for ip is https://docs.virustotal.com/reference/ip-info and that for url is https://docs.virustotal.com/reference/domain-info 

sub-playbook_vt_ip.png            sub-playbook_vt_domain.png

From each of the filters, the output is passed to a separate API block for scanning ip and domain.

sub-playbook_end.png

To pass the maliciousness score, the End block of sub-playbook is fed with result of API block(API ip .data.attributes.last_analysis_stats.malicious & API url.data.attributes.last_analysis_stats.malicious) under the key ip_malicious and url_malicious. 

End - Main Playbook

The End block of main playbook is configured in such a way to receive the malicious score from the sub-playbook.

main_end.png

After successful execution, the end result looks like below. 

runtime_end.png

 

As a reference, the used playbook can be downloaded from here. 

 

  • PLAYBOOK_kcs_filter_sub.zip (30 KB)

Comments

Please sign in to leave a comment.

Related articles

  • Office365
  • VirusTotal
Was this article helpful?
0 out of 0 found this helpful
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.

Note: We use cookies that are essential for the smooth functioning of our website.