Problem with AppendindicatorFieldWrapper script

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problem with AppendindicatorFieldWrapper script

L1 Bithead

Hi!

 

When we run the appendIndicatorField task, the last IP address of an array never gets tagged. Please see the following examples for clarification:

 

Example 1: works fine

!appendIndicatorField indicatorsValues="134.122.135.178" field="tags" fieldValue="BlockPA" using-brand="Builtin"

 

Example 2: tags IP 134.122.135.178, doesn't tag IP 43.128.225.120
!appendIndicatorField indicatorsValues="134.122.135.178,43.128.225.120" field="tags" fieldValue="BlockPA" using-brand="Builtin"

 

Example 3: tags IP's 134.122.135.59,107.170.234.9, doesn't tag IP 185.224.128.30

!appendIndicatorField indicatorsValues="134.122.135.59,107.170.234.9,185.224.128.30" field="tags" fieldValue="BlockPA" using-brand="Builtin"

We run the task as described in official documentation: https://xsoar.pan.dev/docs/reference/scripts/appendindicator-field-wrapper
indicators_values: A comma-separated list of indicators values. For example, for IP indicators, "1.1.1.1,2.2.2.2".

 

Does anyone know if this is a bug or we are making some mistake here?

 

Regards.

3 REPLIES 3

L4 Transporter

I'm not able to reproduce that on XSOAR 6.11300044, with all my Base and Common Packs up to date, works find for me. 

 

Would be worth at support ticket.

L2 Linker

Please check if there are any results for these searches in XSOAR's Threat Intel tab:

value:"43.128.225.120"
value:"43.128.225.120" and tags:BlockPA
value:"185.224.128.30"
value:"185.224.128.30" and tags:BlockPA

L1 Bithead

Hello everyone,

 

I would like to express my gratitude for your responses. I have some updates to share regarding this matter.

 

After conducting further tests, we have observed that this issue occurs randomly. In some cases, all the IP addresses in an array are tagged, while in others, there is one IP address that remains untagged. It is not always the last IP address in the array (apologies for the confusion); it could be any IP address. However, based on more than 10 tests, we can say that the problem never affects more than one IP address.

 

I attach an error example for evidence. 

 

In my opinion, this is a bug, and I believe that this task should generate an error when one IP address is not tagged.

 

Best regards.

  • 1809 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!