Use cases for Expression Builder

Supported in:

This document describes use cases for building an expression in an action.

Use case number one: IPS

This use case assumes you're building a playbook that has found a malicious flow in a network.
Imagine that a vulnerability management tool, such as Qualys, has scheduled a daily scan.

Create a placeholder

Before you begin, follow these suggestions:

  • Use Qualys – List Scans to get all the latest scans from Qualys (30 days hard coded).
  • Use the Expression Builder to extract the ID (REF) of the newest scan as placeholder to download VM scan results. VM scan results download the relevant report.
  • Use the List Operations to extract the list of the vulnerabilities' identifiers that are found on the network (CVE) from the report and compare it to the CVE from the case.
  • Use an IPS alert to trigger the playbook.
  1. Begin with an Active Directory_Enrich Entities action to enrich all potentially affected entities.
  2. Use Qualys VM – List Scans to retrieve the latest scan results for the network machines.
  3. Determine if any of the results are vulnerable to the detected flow.
  4. Look at QualysVM_Download VM Scan Results_1. You should see the placeholder and the added Expression Builder.

Add the placeholder

To add the placeholder:

  1. Click [ ] Placeholder. The Insert Placeholder dialog appears.
  2. Select Playbook > QualysVM_list_Scans_1_JSONResult.
  3. Click the Expression Builder icon; the Expression Builder screen appears.
  4. In the Expression field, add the following: The expressions use MAX to take the latest result by date LAUNCH_DATETIME and then extract the specific scan ID of the relevant scan where REF is the scan ID.
    Example: | max(LAUNCH_DATETIME) | REF
  5. Click Run. The expected results should appear.
  6. Click Insert to include the Expression Builder as part of the placeholder.
  7. Click Action > List operations using CVEs from the cases + expression builder displays.
  8. Once the playbook is triggered in real time, you can see the scan results in the side drawer, including the specific scan as a PDF file.

Use Case number two: Too Many Failed Login Attempts

This case assumes that you had failed login attempts and you want to figure out which department the user belongs to and when was the last time he changed his password in order to determine the severity of the alert. In this playbook, you are going to use Active Directory to get more information.
In the first action, you will use ActiveDirectory_Enrich entities to find out more information on all the internal entities. In this Insight message, you want to find out the user and the last time they logged in.

To add these placeholders:

  1. In the Message field, click [ ] Placeholder.
  2. In the Insert Placeholder screen, click the Expression Builder icon next to the ActiveDirectory_Enrich entities_JSONResult.
  3. Add the following in the expression field: This will choose the entity identifier. If more than one entity returned results – we will get it as a comma separated list.
    | Entity
  4. Click Run; the sample result appears. In this case, user@domain.com.
  5. Click Insert to use this as part of your placeholder message. Add the relevant free text to your message.
  6. Click the Placeholder icon [] and then click the Expression Builder icon next to the ActiveDirectory_Enrich entities_JSONResult.
  7. Add the following expression. This captures the last logon time of the specified user. | EntityResult.lastLogon
  8. Click Insert and then click Save.
  9. Once the playbook is triggered in real time, a message on the Insight pane appears, showing the username and last login time.

Use Case number three: VirusTotal

The action checks the reputation of the file hash on VirusTotal. In this example, you get a report for a specific file hash. You extract the reputation (is it known to be malicious) by a specific scan engine. In this case, Kaspersky.
Check if Kaspersky marked the file hash as malicious and create an entity for that.
In the first action, you will use VirusTotal_Scan Hash.
Now, take a look at the next action. Siemplify_Create Or Update Entity Properties. This creates or changes properties for an entity.Detected by Kaspersky.

To add this placeholder:

  1. In the Field Value field, click [] Placeholder.
  2. In the Insert Placeholder screen, click the Expression Builder icon next to the VirusTotal_ScanHash_JSONResult.
  3. Add the following expression: | filter(EntityResult.scans.Kaspersky.detected, "=", "true") | Entity

    If we scanned more than one hash, it filters the results by all the entity objects that Kaspersky marked as malicious – and then returns just the entity name.

  4. Click Insert and then click Save. Results will display at run time.

Need more help? Get answers from Community members and Google SecOps professionals.