Functions that require single input

mccrilb · 01-15-2023 08:53 AM

I have found a few functions that fail if they receive more than a single input.

Mimecast Report Message as Phishing for example.

One message ID works, but if the input is two messages comma delimited it fails. I have tried the split feature and created a list, but again, the input fails to handle it. I need a way to do a for each Message ID loop statement.

Francis_Couder

I'm encountering the same problem with other actions. Currently I solve this by modifying the the action in the IDE to accept lists as well.

But I hope that there will be a loop/iteration action or other way to have this supported natively.

jaymin

I require single entity to be passed as input of a playbook from the Case Entities.
Is there any actions that allows to passing only single entitiy from the list of target entities of the case without modifying the action ?

SoarAndy

Actions in SecOps fall into two categories
Actions that use Entities for inputs. These typically have looping in the nature of the Python code
Actions that use String inputs. The handling of multiple entities is implementation/vendor specific

I checked the code for Mimecast (see MimecastManager lines 236) and confirmed this will only handle 1 input.

Option 1 - Duplicate the Action 'report message' and implement your own loop around line 87/88/89

Option 2 - Playbook looping (for string inputs such as this) is known to the PM team, though I have no information on the status of this feature.

Option 3 - change the workflow to have 1 Alert per message ID, however this would require analysing the workflow and adapting where possible