02-25-2024 02:22 PM
Greetings to everyone,
With the help of an automation, I extract indicators from incoming incidents. I do this by running commands that createNewIndicator and then enrichIndicator. But these are not written to the context. I need to write them to the context, find out if it is Malicious or Suspicious and send it as an email. When I search with the searchIndicator command, most of the time, it searches without the indicator and the result is misleading.
How can I do this in the simplest way?
In short, how can I find out whether the indicators I extract are Malicious or not in the simplest way? (I do all of this in automation. But I will create a separate task in the playbook for the "Send mail if malicious" part).
02-25-2024 02:50 PM
What I really want is to write the DBotScore key in the content. But I don't know how to write it.
If I can write it to the context, I can send the scores one by one from there.
02-26-2024 11:56 AM
Hi,
When you run !createNewIndicator, the indicator will be written to context along with the score under the context key CreatedIndicator in your context data. Are you not seeing that behavior?
Thank you!
02-27-2024 12:48 AM
Yes, it doesn't show results. I do this in a custom automation with the command "demisto.executeCommand('createNewIndicator', pseudo, pseudo)".
02-27-2024 08:20 AM
Hi,
You will need to use CommandResults class to return the outputs to context in a custom automation.
Here is some documentation on that:
https://xsoar.pan.dev/docs/integrations/code-conventions#commandresults
Hope that helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
