- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-22-2022 08:10 AM
Hi all,
I was trying to make a playbook where I had a set of hashes extracted from a text file and then search on CbAppControl.
After searching, it would return the filename of the hash and the computers where the hash was detected.
Right now there is a built-in playbook to search for hash via CbAppControl though it seems it is not working as intended along with the limitation of MD5. I managed to make some changes and it works as the playbook's original intention i.e. to return the computer name where the hash is found.
I am a newbie here so the challenge I am facing is I have this list of hashes extracted via ExtractIndicators which I pass to this sub playbook. The problem is since the subplaybook contains individual functions of carbon black, when the output is passed to each function it is passed as an array. As an example
I pass 2 hashes {'ASDAGF4RSDFSDFFDSF','ASDASDFSDFSDFSE'} to the subplaybook
It assigns it to the playbook input "inputs.Hash"
the first function searches the hash values and returns the catalogID if found in carbon black server, also as an array
the second function finds the computer ID where the file resides if found in the carbon black server, also as an array
the third function find the hostname also as an array.
Now the problem is how can I link each hash to the respective filename and the respective hostname it was found if all the values are together in an array?
I tried doing a loop before the subplaybook but it seems to be slower and still adds the next value in the same array on each iteration (maybe the way i am passing is wrong perhaps).
Is there a way to link the hash - filename - hostnames as a table or something? If so how can I implement it?
Any guidance would be really helpful. Thanks.
09-29-2022 11:22 AM
Hello,
I managed to solve this as a workaround by just eliminating the sub-playbook and making the contents of the sub-playbook (what i needed only) part of the main playbook and converting the output using converttabletoHTML for each function and posting them in them email report as is. Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!