This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How to append different IOC Indicator files in XSOAR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to append different IOC Indicator files in XSOAR

Go to solution
cV V
L2 Linker

‎05-22-2024 05:12 AM - edited ‎05-22-2024 05:23 AM

Uploading the IOC's File A and file B in playground-war room via CLI Command box attachment file upload option.

How to append the two IOC's File A and File B

chiranjeevi
Preview file
142 KB
0 Likes Likes
6 accepted solutions

Accepted Solutions

Go to solution
OKaraduman1
L2 Linker

‎05-23-2024 12:21 AM

Hi,

 

!extractIndicators command can extract the indicator which is given files. 

View solution in original post

Go to solution
jfernandes1
L5 Sessionator

‎05-23-2024 05:50 PM

Hi @cV V, since your trying to access data store inside a docx file you will need to first convert the file to plain text. 

 

You can use the !ParseWordDoc entryID= command first on the file in your screenshot. The output of this command will add a new file to context in .txt format.

 

You can then run the !extractIndicators entryID= command with this new file. The output of this command will create the ExtractedIndicators key in your context.

 

Please note that the ExtractedIndicators key will contain sub-keys for IP, URL, etc. Also, when you run this command multiple times, with 2 different files for example, the ExtractedIndicators with be converted into a list. To create a single list you can use the below command. 

!Set append=true value=${ExtractedIndicators.IP} key=ListofIPS 

View solution in original post

Go to solution
cV V
L2 Linker

‎05-26-2024 10:56 PM

Hi Jfernandes1

Thanks for the response & guide us on below process

 

1.Step

Uploading the IOC file in word document format below 2 files in xsoar CLI box attachment. (screenshots attached)

  • testing.ioc fiel 
  • File c

2. Extracted the Indicators with thier entry ID. (please find attached screenshot)

3. While appending the two files A and B step,  where we get those values for value= and key= not listed anywhere in !extractedindicators results (screenshot attached)

 

chiranjeevi

View solution in original post

Preview file
15 KB
Preview file
64 KB
Preview file
122 KB
Preview file
125 KB
Preview file
145 KB
Preview file
196 KB
0 Likes Likes

Go to solution
jfernandes1
L5 Sessionator

‎05-27-2024 01:54 AM

Hi @cV V, in your example screenshot I see your using the ExtractIndicatorsFromWordFile automation, unfortunately this automation does not return any data to the context. The objective of the automation is to print the indicators from the docx file in the warroom, our auto-extraction feature will then process all those indicators. You can force the data to be pushed to the context by adding the extend-context option, example below. 

 

!ExtractIndicatorsFromWordFile entryID=${File.[0].EntryID} extend-context=file1data1=

Note: Do not add anything after the equal (=) symbol at the end.  

 

I would still suggest my earlier option of converting the files first since it provides more control. 

View solution in original post

0 Likes Likes

Go to solution
cV V
L2 Linker

‎05-27-2024 04:07 AM

Hi all,

Appended two files eg: File A and File B by below command for CSV file formats.

 

Indicator values = ip  (ip's column in file A and file B)

tags =iocfileA,iocfileB (tags are added while uploading IOC files) 

 

!AppendindicatorFieldWrapper indicators_values="ip" tags="iocfileA,iocfileB"

 

Regards

kudos

 

chiranjeevi

View solution in original post

Preview file
166 KB
0 Likes Likes

Go to solution
cV V
L2 Linker

‎07-04-2024 01:56 AM

Hi Team,

Thanks for the response !

 

Solution 

To Append two IOC indicator file A and B

 

Steps:

1.Upload the IOC file in "A" and " B" while uploading add the tags "fileA" and "fileB"

2.Command for Append

!AppendindicatorFieldWrapper indicators_values="ip" tags="fileA,fileB"

 

3.View the appended IOC list in full table in a new tab and or download / export in CSV

 

Regards,

Chiranjeevi

chiranjeevi

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
OKaraduman1
L2 Linker

‎05-23-2024 12:21 AM

Hi,

 

!extractIndicators command can extract the indicator which is given files. 

Go to solution
jfernandes1
L5 Sessionator

‎05-23-2024 05:50 PM

Hi @cV V, since your trying to access data store inside a docx file you will need to first convert the file to plain text. 

 

You can use the !ParseWordDoc entryID= command first on the file in your screenshot. The output of this command will add a new file to context in .txt format.

 

You can then run the !extractIndicators entryID= command with this new file. The output of this command will create the ExtractedIndicators key in your context.

 

Please note that the ExtractedIndicators key will contain sub-keys for IP, URL, etc. Also, when you run this command multiple times, with 2 different files for example, the ExtractedIndicators with be converted into a list. To create a single list you can use the below command. 

!Set append=true value=${ExtractedIndicators.IP} key=ListofIPS 

Go to solution
cV V
L2 Linker

‎05-26-2024 10:56 PM

Hi Jfernandes1

Thanks for the response & guide us on below process

 

1.Step

Uploading the IOC file in word document format below 2 files in xsoar CLI box attachment. (screenshots attached)

  • testing.ioc fiel 
  • File c

2. Extracted the Indicators with thier entry ID. (please find attached screenshot)

3. While appending the two files A and B step,  where we get those values for value= and key= not listed anywhere in !extractedindicators results (screenshot attached)

 

chiranjeevi
Preview file
15 KB
Preview file
64 KB
Preview file
122 KB
Preview file
125 KB
Preview file
145 KB
Preview file
196 KB
0 Likes Likes

Go to solution
jfernandes1
L5 Sessionator

‎05-27-2024 01:54 AM

Hi @cV V, in your example screenshot I see your using the ExtractIndicatorsFromWordFile automation, unfortunately this automation does not return any data to the context. The objective of the automation is to print the indicators from the docx file in the warroom, our auto-extraction feature will then process all those indicators. You can force the data to be pushed to the context by adding the extend-context option, example below. 

 

!ExtractIndicatorsFromWordFile entryID=${File.[0].EntryID} extend-context=file1data1=

Note: Do not add anything after the equal (=) symbol at the end.  

 

I would still suggest my earlier option of converting the files first since it provides more control. 

0 Likes Likes

Go to solution
cV V
L2 Linker

‎05-27-2024 04:07 AM

Hi all,

Appended two files eg: File A and File B by below command for CSV file formats.

 

Indicator values = ip  (ip's column in file A and file B)

tags =iocfileA,iocfileB (tags are added while uploading IOC files) 

 

!AppendindicatorFieldWrapper indicators_values="ip" tags="iocfileA,iocfileB"

 

Regards

kudos

 

chiranjeevi
Preview file
166 KB
0 Likes Likes

Go to solution
cV V
L2 Linker

‎07-04-2024 01:56 AM

Hi Team,

Thanks for the response !

 

Solution 

To Append two IOC indicator file A and B

 

Steps:

1.Upload the IOC file in "A" and " B" while uploading add the tags "fileA" and "fileB"

2.Command for Append

!AppendindicatorFieldWrapper indicators_values="ip" tags="fileA,fileB"

 

3.View the appended IOC list in full table in a new tab and or download / export in CSV

 

Regards,

Chiranjeevi

chiranjeevi
0 Likes Likes
  • 6 accepted solutions
  • 4613 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks