Let's look at three use cases building an Expression in an Action.
Use Case Number One: IPS
Let's say we are building a Playbook which has found a malicious flow in
a Network. Imagine that a vulnerability management tool such as Qualys has
scheduled scanning every day. In this example, we are using Qualys –
List Scans to get all the latest scans from Qualys (30 days hard coded).
We will be using the expression builder to extract the ID (REF) of the newest
scan as placeholder for download VM scan results. VM scan results will
download the relevant report. Using the List Operations, we are going to
extract the list of the vulnerabilities' identifiers which was found on
the network (CVE) from the report and compare it to the CVE from the
case We can use an IPS alert to trigger the Playbook. Start off
with an Active Directory_Enrich Entities action so that we can enrich all the
entities that are potentially affected. and then use Qualys VM – List
Scans to retrieve the latest scan results for the network machines and
determine if any of them are vulnerable to the detected flow. Now
let's take a look at the next action QualysVM_Download VM Scan
Results_1. This screenshot shows the Placeholder together with the Expression
Builder that has been added.
Click on the Expression Builder icon as shown below.
The Expression Builder screen opens up.
Add the following in the Expression field. The expressions means that we
use MAX to take the latest result by date (LAUNCH_DATETIME) and
then extract the specific scan id of the relevant scan
where REF means scan id. | max(LAUNCH_DATETIME) | REF
Click Run. The expected results will appear.
Click Insert to include the Expression Builder as part of the Placeholder.
Next action should be as follows: Action > List operations
using CVEs from the cases + expression builder displays – see
following screenshots.
Once the Playbook is triggered in real time, you can see the scan results in
the side drawer, including the specific scan as pdf.
Use Case Number Two: Too Many Failed Login Attempts
For this use case let's say that we had failed login attempts and we
want to figure out which department the user belongs to and when was the last
time he changed his password in order to determine the severity of the alert.
In this Playbook we are going to use Active Directory to get more
information. In the first action, we will use ActiveDirectory_Enrich
entities to find out more information on all the internal entities. In this
Insight message, we want to find out the user and the last time they logged
in. Below is a screenshot of this action already with the necessary
Placeholders with the Expression Builders in.
To add these placeholders:
In the Message field, click the Placeholder icon [ ].
In the Insert Placeholder screen, click the Expression Builder icon next to
the ActiveDirectory_Enrich entities_JSONResult
Add the following in the expression field: This will choose the entity
identifier. Currently, if more than one entity returned results – we
will get it as a comma separated list. | Entity
Click Run and you will see the sample result. In this case, user@domain.com.
Click Insert to use this as part of your placeholder message. Add the
relevant free text to your message as well.
Once again, click the Placeholder icon [] and then click the Expression
Builder icon next to the ActiveDirectory_Enrich entities_JSONResult.
Add the following expression. This will capture the last logon time of the
specified user. | EntityResult.lastLogon
Click Insert and then click Save.
Once the Playbook is triggered in real time, you will see a message on the
Insight pane with the user name and last login time.
Use Case Number Three: VirusTotal
The action checks the reputation of the file hash on VirusTotal. In this
example, we are getting a report for a specific file hash. We are then
extracting the reputation (i.e. is it known to be malicious) by a specific
scan engine. In this case, Kaspersky. So we are going to check if
Kaspersky marked the file hash as malicious and create an entity for that. In
the first action, we will use VirusTotal_Scan Hash. Now, let's take
a look at the next action. Siemplify_Create Or Update Entity Properties.
This creates or changes properties for an entity. Detected by Kaspersky. Below
is a screenshot of this action already with the necessary Placeholders with
the Expression Builders in.
To add this placeholder:
In the Field Value field, click the Placeholder icon [ ].
In the Insert Placeholder screen, click the Expression Builder icon next to
the VirusTotal_ScanHash_JSONResult.
Add the following expression: |
filter(EntityResult.scans.Kaspersky.detected, "=",
"true") | Entity
If we scanned more than one hash, it
filters the results by all the entity objects that Kaspersky marked as
malicious – and then returns just the entity name.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-28 UTC."],[[["The Expression Builder in Google SecOps SOAR is used within Playbook actions to extract and manipulate data dynamically."],["In an IPS use case, the Expression Builder is used to extract the latest scan ID from Qualys to download the corresponding vulnerability scan results."],["For failed login attempts, the Expression Builder retrieves user identifiers and last login times from Active Directory to assess alert severity."],["When checking file reputations with VirusTotal, the Expression Builder filters scan results to identify files flagged as malicious by specific engines, like Kaspersky."],["Expression Builder, allows the use of operators such as \"max\" or \"filter\" in order to retrieve specific values from the playbook actions."]]],[]]
