Iterating over json response to process and validate the date is crucial and backbone of automation in SOAR. The json response is filtered via Filter Block and iterated via For-Each block. Efficient use of For-Each and Filter block helps to minimize the number of execution of sub-playbooks and hence optimizes the workload on docker containers.
In this article, we will filter the selected pairs from json response and iterate over the result to process on sub-playbook. We will be using get-incident data API action to get the response and filter ip, domain. The json with ip and domain key-pairs are passed via For-Each block to sub-playbook, which will find out the malicious score scanned from Virus Total.
Before proceeding to any explanation, below images provide the overview of playbook being used in this article.
Main Playbook
Sub Playbook
Trigger Type:
The trigger type is LogPoint SIEM Incidents which signify that this playbook will be triggered whenever the configured alert in automation rule is triggered.
.
We are fetching the default start_time, end_time, query, rows_count and additionally incident_id and id from the metatadata of triggered incident.
The configured alert in automation is rsralert so it means this playbook will be run on every triggering of rsralert. More about triggering of playbook from incident can be found here.
Fetching Incident Data:
After triggering of alert, the data from incidents is fetched via LogPoint_Incident_Data_new API Action. This action is based on the incident API endpoint get_data_from_incident. This block will fetch the logs(in json format) responsible for triggering the alert rsralert. More about adding new vendor and action for its product can be found here.
Filter block to filter selected pairs from API block
The response from the former API block contains unnecessary information.
So, we are filtering only the required values using the JsonPath Filter Expression. The used expression will extract only ip_address and url_name values from the output of api action and pass to subsequent block.
$.*['ip_address','url_name']
The JsonPath Filter Expression can be tested using online test sites like https://jsonpath.com/
Iterating over filtered rows
There are multiple rows in the filtered response so they are iterated using the For-Each block.
Sub-playbook
A sub-playbook is used in order to process each row on a separate playbook. On each iteration, the row's value is passed to sub-playbook filter sub playbook and processing of those value take place on it. We are passing the output of filtered response through For-Each block as an input to sub-playbook.
But before using the sub-playbook, it should have been already created. Let's see the components of filter sub playbook in detail.
Trigger Type
Since the sub-playbook will be called by another playbook, so trigger type is playbook. Additionally it will expect the filtered json response in key ip_url_dict.
Filters
The sub-playbook has the json response with key ip_address and url_name. We need to segregate those values for further processing so 2 filters are used for each case.
Scan for maliciousness via VTScan
We are using virus total for scanning the ip and url(domain) for finding out the maliciousness score. In SOAR, the vendor Virus Total is already integrated and we are using the v3 product. The product instance should be initialized first with name, url and api key.
The api reference for ip is https://docs.virustotal.com/reference/ip-info and that for url is https://docs.virustotal.com/reference/domain-info
From each of the filters, the output is passed to a separate API block for scanning ip and domain.
To pass the maliciousness score, the End block of sub-playbook is fed with result of API block(API ip .data.attributes.last_analysis_stats.malicious & API url.data.attributes.last_analysis_stats.malicious) under the key ip_malicious and url_malicious.
End - Main Playbook
The End block of main playbook is configured in such a way to receive the malicious score from the sub-playbook.
After successful execution, the end result looks like below.
As a reference, the used playbook can be downloaded from here.
Comments
Please sign in to leave a comment.