Hi Everyone,
A common issue I have been facing is how can I provide UDM fields in the automated messages in my SOAR playbooks. The current way is to type out the UDM field and use the Placeholder variable to select which fields you want to select. ie)
principal.ip="[Event.event_principal_ip]"
Which can take quite a bit of time, especially if you want to enter +10 UDM fields!
To remedy this I used the Render Template action to create a JINJA2 script that would perform the conversion automatically and format it so it can be copy/pasted directly into a UDM search for further investigation. Here is the script(be sure to select the "Include Case Data" check box):
{% set CaseData = input_json['SiemplifyEvents'] %}
{% if CaseData is defined %}
{% for event in CaseData %}
{% for item in event%}
{% if "ip" in item and "event" in item%}
{% set word = ".".join(item.split("_")) %}
{% set UDM=[] %}
{% for index in range(word|length) %}
{% if word[index] in "1234567890" %}
{% if word[index-1]=="." %}
{% do UDM.pop() %}
{% endif %}
{% elif word[index] == word[index]|upper and word[index] != "."%}
{% do UDM.append("_") %}
{% do UDM.append(word[index]|lower|safe) %}
{% else %}
{% do UDM.append(word[index]|safe) %}
{% endif %}
{% endfor %}
{% set TempName = "".join(UDM)%}
{% set UDM_Field = ".".join(TempName.split(".")[1:])|safe%}
{{UDM_Field+"=\""|safe+event[item]|safe+"\""|safe}}
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
It's not the prettiest or fastest thing ever, but it does get the job done! Of course you likely don't want every field under the sun in your report. Line 6 is the place to filter for which fields you want. In this example, I am returning all fields that have "ip" and "event" in them. This is usually good enough for a high level over view of certain values.
If you want a more specific list I would recommend copying udm fields from a sample log and using excel to get everything before the "=" (I use =leftsplit in excel).
principal.user.userid="me" ------>>> principal.user.userid
Now that you have a list of the UDM fields, convert them to a list object by wrapping them in double quotes and separating by commas. (I use
https://arraythis[.]com/, takes only a second.)
Boom, now you have a list of the UDM fields you want in list form. For the last step paste the following lines:
Line 2: {% set UDM_Filter = [YOUR UDM LIST] %}
repalce Line 23 with:
{% if UDM_Field in UDM_Filter %}
{{UDM_Field+"=\""|safe+event[item]|safe+"\""|safe}}
{% endif %}
Here is an example where I want to select for the principal.ip and principal.hostname fileds:
{% set CaseData = input_json['SiemplifyEvents'] %}
{% set UDM_Filter = ["principal.ip","principal.hostname"] %}
{% if CaseData is defined %}
{% for event in CaseData %}
{% for item in event%}
{% if "ip" in item and "event" in item%}
{% set word = ".".join(item.split("_")) %}
{% set UDM=[] %}
{% for index in range(word|length) %}
{% if word[index] in "1234567890" %}
{% if word[index-1]=="." %}
{% do UDM.pop() %}
{% endif %}
{% elif word[index] == word[index]|upper and word[index] != "."%}
{% do UDM.append("_") %}
{% do UDM.append(word[index]|lower|safe) %}
{% else %}
{% do UDM.append(word[index]|safe) %}
{% endif %}
{% endfor %}
{% set TempName = "".join(UDM)%}
{% set UDM_Field = ".".join(TempName.split(".")[1:])|safe%}
{% if UDM_Field in UDM_Filter %}
{{UDM_Field+"=\""|safe+event[item]|safe+"\""|safe}}
{% endif %}
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
*remember to change line 6 so the filtering doesn't contradict your list. you can just set it to {%if 1==1%}*
Here is the workflow:
Find a sample log and copy the desired UDM fields
Process the UDM to a Python list
Paste the list to line 2
Make sure line 6 doesn't filter out desired fields
Things to note:
For multi-event rules this will select all the fields from each log, so if there are 500 logs and each one has prinicpal.ip this will return 500 principal.ip fields.(you can wrap it in a if statement checking the loop.index value if you know how many fields you want. I'm planning on having a unique field checker in the future to remove repeated values.)
For repeated fields, make sure to remove the indexed filed ie:
security_results[0].summary --> security_results.summary
Let me know if it doesn't work for you, or you find any bugs! I use this for basically every use case within every playbook, so feedback is appreciated!
Have a nice day
LinkedIn
Twitter
