phantomcyber / playbooks Goto Github PK
View Code? Open in Web Editor NEWPhantom Community Playbooks
License: Apache License 2.0
Phantom Community Playbooks
License: Apache License 2.0
I think I may have found a bug with the regex_filter_list custom function. I'm running Soar 5.4.0.x.
The action variable for this function is set to be a list. Creating my own version of that CF in SOAR and changing the data type to an item, for the action variable, seems to solve the problem.
Otherwise the community version of that gives this error:
CustomFunctionRun with id=69821 FAILED: The custom function run is being marked failed because all of its constituent results failed
Error: Encountered an unhandled exception in custom function "regex_filter_list" for the parameter dictionary at index=0: {'action': ['drop'], 'input_list': ['10.0.1.1', '10.90.0.1'], 'regex': '\b(?!10\.|192\.168\.|172\.(?:1[6-9]|2[0-9]|3[01])\.)(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}\b'}
Traceback (most recent call last):
File "regex_filter_list", line 73, in cfentry
File "lib3/phantom/decided/playbook_resource_score.py/playbook_resource_score.py", line 126, in _wrapper
File "lib3/phantom/decided/playbook_resource_score.py/playbook_resource_score.py", line 123, in _wrapper
File "regex_filter_list", line 25, in regex_filter_list
AttributeError: 'list' object has no attribute 'lower'
On line 464 the code checks if the key is dest
, then on line 466 it checks if the key matches an IP regex (which it never will, if it is also dest
).
The same is done lower down for src
.
This needs to check the value against the IP regex, not the key.
I see there was a rework on this custom function back in march. I think there is an issue w/ the change.
At this time :Input is cef types, all, no tags, current container.
if trying to use the values ouput field, it returns many duplicate values. Manual inspection of the artifacts show that there were only 2 items to be found. But the returned values are those two items repeated many many times. Havent dug that far in yet, but that's definitely seems like improper behavior. If I get some more time, I'll try to debug as well.
If you have two indicators with different cases (e.g., indicator1
and InDiCaToR1
, and you call the indicator_tag function with the name of the indicator (as opposed to the ID), it fails.
This is because, when it is searching for the indicator to tag, it is using the case insensitive filter parameter _filter_value__iexact
, which returns both indicators (they are stored case-sensitive in SOAR), and the custom function exits with an error if there is more than one indicator found. If you change it to _filter_value__exact
then it will find just the one indicator and tag it.
IMO the function should either be fully case-insensitive, and tag all indicators that match a case-insensitive search, or be fully case-sensitive, and only tag the indicator that matches a case-sensitive search. Given that SOAR stores indicators in a case-sensitive manner, it makes sense to me to do the latter.
If the function is called for a value containing a backslash, a RuntimeError is thrown. URL Encoding the name does not work.
Raised in Splunk Usergroup Slack channel: https://splunk-usergroups.slack.com/archives/C03AUDMLHA5/p1703127886647099
Indicator_collect expects a comma separated list string but receives a python list, thus causing it to not filter correctly on indicator_types, and indicator_tags.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.