02-16-2023 10:39 PM
Our detection engineering team wants to upload a list of IOCs to XSOAR and get the VirusTotal scores of them as a csv file.
Through an automation I am extracting and enriching all the indicators and running
!ExportIndicatorsToCSV query="investigationIDs:47" columns="id,indicator_type,value,vtscore"
VT Score is a custom indicator field. It holds the VirusTotal score of the IOC but the data doesn't appear in the CSV file. I think that's because it is a custom field. It doesn't work with CustomField prefix "CustomField.vtscore" either.
How can export the indicators in an incident with custom fields?
02-21-2023 08:58 AM - edited 02-21-2023 09:00 AM
It should work with custom fields as you described, for example I created a custom field, added it to IP indicators, and ran as below.
I'd put that field on the layout and make sure there is a value there.
!ExportIndicatorsToCSV query="beauchomperscore:12345" columns="id,indicator_type,value,beauchomperscore"
|
id |
indicator_type |
value |
beauchomperscore |
|
269442 |
IP |
47.32.78.150 |
12345 |
02-23-2023 06:07 AM
thank you for your help, I was giving the machine name of the indicator field as an argument but as it turns out only way to get the field is using its display name, in my case "VT Score" (case sensitive)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
