Indicator_collect expects a comma separated list string but receives a python list, thus causing it to not filter correctly on indicator_types, and indicator_tags.

On line 464 the code checks if the key is dest, then on line 466 it checks if the key matches an IP regex (which it never will, if it is also dest).

The same is done lower down for src.

This needs to check the value against the IP regex, not the key.

Good Job
在微信上看到你们的分享：

问几个问题哈，
Playbooks和ansible的playbook是一个吗？
Playbook的编排是针对主机的吗？
Playbook具体的执行是通过什么方式进行的？SSH到主机进行操作吗？
谢谢。

If the function is called for a value containing a backslash, a RuntimeError is thrown. URL Encoding the name does not work.

Raised in Splunk Usergroup Slack channel: https://splunk-usergroups.slack.com/archives/C03AUDMLHA5/p1703127886647099

If you have two indicators with different cases (e.g., indicator1 and InDiCaToR1, and you call the indicator_tag function with the name of the indicator (as opposed to the ID), it fails.

This is because, when it is searching for the indicator to tag, it is using the case insensitive filter parameter _filter_value__iexact, which returns both indicators (they are stored case-sensitive in SOAR), and the custom function exits with an error if there is more than one indicator found. If you change it to _filter_value__exact then it will find just the one indicator and tag it.

IMO the function should either be fully case-insensitive, and tag all indicators that match a case-insensitive search, or be fully case-sensitive, and only tag the indicator that matches a case-sensitive search. Given that SOAR stores indicators in a case-sensitive manner, it makes sense to me to do the latter.

I think I may have found a bug with the regex_filter_list custom function. I'm running Soar 5.4.0.x.
The action variable for this function is set to be a list. Creating my own version of that CF in SOAR and changing the data type to an item, for the action variable, seems to solve the problem.
Otherwise the community version of that gives this error:

CustomFunctionRun with id=69821 FAILED: The custom function run is being marked failed because all of its constituent results failed
Error: Encountered an unhandled exception in custom function "regex_filter_list" for the parameter dictionary at index=0: {'action': ['drop'], 'input_list': ['10.0.1.1', '10.90.0.1'], 'regex': '\b(?!10\.|192\.168\.|172\.(?:1[6-9]|2[0-9]|3[01])\.)(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}\b'}
Traceback (most recent call last):
File "regex_filter_list", line 73, in cfentry
File "lib3/phantom/decided/playbook_resource_score.py/playbook_resource_score.py", line 126, in _wrapper
File "lib3/phantom/decided/playbook_resource_score.py/playbook_resource_score.py", line 123, in _wrapper
File "regex_filter_list", line 25, in regex_filter_list
AttributeError: 'list' object has no attribute 'lower'

I see there was a rework on this custom function back in march. I think there is an issue w/ the change.

At this time :Input is cef types, all, no tags, current container.

if trying to use the values ouput field, it returns many duplicate values. Manual inspection of the artifacts show that there were only 2 items to be found. But the returned values are those two items repeated many many times. Havent dug that far in yet, but that's definitely seems like improper behavior. If I get some more time, I'll try to debug as well.