Dynamic interactive multi select input inside a playbook

oDarweesh2 · ‎09-06-2022

Dears,

We are trying to do the following scenario and we want to check if it is doable or not:

1- We have a phishing playbook.

2- We are extracting all the attachments that are included inside an email file (.eml file).

3- the extraction of these files is working properly and we have each file associated with an entry id.

4- we want to submit those files to sandboxing tool but not all of them, we only want to submit the files that the analyst want to submit.

My Question: can we pass those entry ids to an interactive input (multi select input).. That ask the analyst to pick which files to be submitted to sandboxing and based on his choices we will submit the chosen files.

So do we have an interactive multi select input inside a playbook?

Your support highly appreciated

ABurt · ‎09-07-2022

This is achievable. I have attached the necessary files. The new files will provide:

A new custom layout (that is based on the Phishing Incident v3 layout)
1. This contains a new section called "Sandbox Submission"
  1. There is a new sub-section that contains a new field called "File Submissions" and a new button for submitting the files
  2. It also contains a "logs" section to show previous activities
2. The new File Submissions field has a field display script that populates file names that are found in the 'File' context value
3. The File Submission Logs field (which is a grid) populates automatically after clicking the submit button
4. The submit button uses another custom automation script that:
  1. Gathers the file names selected by the user
  2. Finds their EntryIDs
  3. Submits each file to the sandbox
  4. Populates the logs
5. After running, it will clear the File Submissions selections
6. The submit button only appears when there are entries selecting in the File Submission field

Installing to test

To make this work (and therefore you can play around with the layouts etc), do the following:

Extract the "Archive.zip" attached.
Import the 2 new automation scripts called "PopulateFileSubmissions.yml" and "SubmitFilesButton.yml".
Import the incidentfields.json (this will create 2 new fields).
Import the layout "layoutscontainer-Phishing_Incident_v3_Custom.json"
Assign the layout to the incident type you want the Sandbox submission for

There is one change you will need to make. In the automation script named "SubmitFilesButton" you will need to edit line 15 to use the command you would like to use with your sandbox. I have an ANYRUN integration setup and have left my line in there in a commented state.

Apologies for simply providing the answer as files, but it was infinitely easier to show you how it worked rather than explain in a lengthy paragraph.

Regards

Adam

View solution in original post

ABurt · ‎09-07-2022

This is achievable. I have attached the necessary files. The new files will provide:

A new custom layout (that is based on the Phishing Incident v3 layout)
1. This contains a new section called "Sandbox Submission"
  1. There is a new sub-section that contains a new field called "File Submissions" and a new button for submitting the files
  2. It also contains a "logs" section to show previous activities
2. The new File Submissions field has a field display script that populates file names that are found in the 'File' context value
3. The File Submission Logs field (which is a grid) populates automatically after clicking the submit button
4. The submit button uses another custom automation script that:
  1. Gathers the file names selected by the user
  2. Finds their EntryIDs
  3. Submits each file to the sandbox
  4. Populates the logs
5. After running, it will clear the File Submissions selections
6. The submit button only appears when there are entries selecting in the File Submission field

Installing to test

To make this work (and therefore you can play around with the layouts etc), do the following:

Extract the "Archive.zip" attached.
Import the 2 new automation scripts called "PopulateFileSubmissions.yml" and "SubmitFilesButton.yml".
Import the incidentfields.json (this will create 2 new fields).
Import the layout "layoutscontainer-Phishing_Incident_v3_Custom.json"
Assign the layout to the incident type you want the Sandbox submission for

There is one change you will need to make. In the automation script named "SubmitFilesButton" you will need to edit line 15 to use the command you would like to use with your sandbox. I have an ANYRUN integration setup and have left my line in there in a commented state.

Apologies for simply providing the answer as files, but it was infinitely easier to show you how it worked rather than explain in a lengthy paragraph.

Regards

Adam

Unlock your full community experience!

Dynamic interactive multi select input inside a playbook

Dynamic interactive multi select input inside a playbook

Show your appreciation!