This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Problem with AppendindicatorFieldWrapper script

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problem with AppendindicatorFieldWrapper script

adocasar
L1 Bithead

‎05-17-2023 06:00 AM - edited ‎05-17-2023 06:03 AM

Hi!

 

When we run the appendIndicatorField task, the last IP address of an array never gets tagged. Please see the following examples for clarification:

 

Example 1: works fine

!appendIndicatorField indicatorsValues="134.122.135.178" field="tags" fieldValue="BlockPA" using-brand="Builtin"

 

Example 2: tags IP 134.122.135.178, doesn't tag IP 43.128.225.120
!appendIndicatorField indicatorsValues="134.122.135.178,43.128.225.120" field="tags" fieldValue="BlockPA" using-brand="Builtin"

 

Example 3: tags IP's 134.122.135.59,107.170.234.9, doesn't tag IP 185.224.128.30

!appendIndicatorField indicatorsValues="134.122.135.59,107.170.234.9,185.224.128.30" field="tags" fieldValue="BlockPA" using-brand="Builtin"

We run the task as described in official documentation: https://xsoar.pan.dev/docs/reference/scripts/appendindicator-field-wrapper
indicators_values: A comma-separated list of indicators values. For example, for IP indicators, "1.1.1.1,2.2.2.2".

 

Does anyone know if this is a bug or we are making some mistake here?

 

Regards.

0 Likes Likes
3 REPLIES 3

MBeauchamp2
L4 Transporter

‎05-17-2023 07:36 AM

I'm not able to reproduce that on XSOAR 6.11300044, with all my Base and Common Packs up to date, works find for me. 

 

Would be worth at support ticket.

0 Likes Likes

atullo
L2 Linker

‎05-17-2023 02:45 PM

Please check if there are any results for these searches in XSOAR's Threat Intel tab:

value:"43.128.225.120"
value:"43.128.225.120" and tags:BlockPA
value:"185.224.128.30"
value:"185.224.128.30" and tags:BlockPA

0 Likes Likes

adocasar
L1 Bithead

‎05-18-2023 01:53 AM

Hello everyone,

 

I would like to express my gratitude for your responses. I have some updates to share regarding this matter.

 

After conducting further tests, we have observed that this issue occurs randomly. In some cases, all the IP addresses in an array are tagged, while in others, there is one IP address that remains untagged. It is not always the last IP address in the array (apologies for the confusion); it could be any IP address. However, based on more than 10 tests, we can say that the problem never affects more than one IP address.

 

I attach an error example for evidence. 

 

In my opinion, this is a bug, and I believe that this task should generate an error when one IP address is not tagged.

 

Best regards.

Preview file
109 KB
0 Likes Likes
  • 1792 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks