How can I get the scores of the indicators I extract with commands?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How can I get the scores of the indicators I extract with commands?

L3 Networker

Greetings to everyone,

With the help of an automation, I extract indicators from incoming incidents. I do this by running commands that createNewIndicator and then enrichIndicator. But these are not written to the context. I need to write them to the context, find out if it is Malicious or Suspicious and send it as an email. When I search with the searchIndicator command, most of the time, it searches without the indicator and the result is misleading.

How can I do this in the simplest way?

In short, how can I find out whether the indicators I extract are Malicious or not in the simplest way? (I do all of this in automation. But I will create a separate task in the playbook for the "Send mail if malicious" part).

4 REPLIES 4

L3 Networker

What I really want is to write the DBotScore key in the content. But I don't know how to write it.

If I can write it to the context, I can send the scores one by one from there. 

 

 

dbotcontext.png

L2 Linker

Hi, 

 

When you run !createNewIndicator, the indicator will be written to context along with the score under the context key CreatedIndicator in your context data. Are you not seeing that behavior?

jqamruddin_0-1708977353828.png

 

 

Thank you! 

L3 Networker

Yes, it doesn't show results. I do this in a custom automation with the command "demisto.executeCommand('createNewIndicator', pseudo, pseudo)".

L2 Linker

Hi, 

 

You will need to use CommandResults class to return the outputs to context in a custom automation.
Here is some documentation on that: 
https://xsoar.pan.dev/docs/integrations/code-conventions#commandresults 

 

Hope that helps!

  • 2055 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!