This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Export indicators with custom indicator fields

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Export indicators with custom indicator fields

EnesOzdemir
L3 Networker

‎02-16-2023 10:39 PM

Our detection engineering team wants to upload a list of IOCs to XSOAR and get the VirusTotal scores of them as a csv file.

Through an automation I am extracting and enriching all the indicators and running

 

!ExportIndicatorsToCSV query="investigationIDs:47" columns="id,indicator_type,value,vtscore"

 

VT Score is a custom indicator field. It holds the VirusTotal score of the IOC but the data doesn't appear in the CSV file. I think that's because it is a custom field. It doesn't work with CustomField prefix "CustomField.vtscore" either.

 

How can export the indicators in an incident with custom fields?

0 Likes Likes
2 REPLIES 2

MBeauchamp2
L4 Transporter

‎02-21-2023 08:58 AM - edited ‎02-21-2023 09:00 AM

It should work with custom fields as you described, for example I created a custom field, added it to IP indicators, and ran as below.


I'd put that field on the layout and make sure there is a value there.

 

!ExportIndicatorsToCSV query="beauchomperscore:12345" columns="id,indicator_type,value,beauchomperscore"

 

id

indicator_type

value

beauchomperscore

269442

IP

47.32.78.150

12345
0 Likes Likes

EnesOzdemir
L3 Networker
In response to MBeauchamp2

‎02-23-2023 06:07 AM

thank you for your help, I was giving the machine name of the indicator field as an argument but as it turns out only way to get the field is using its display name, in my case "VT Score" (case sensitive)

 

 

 

0 Likes Likes
  • 1131 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks