This document describes use cases for building an expression in an action.
Use case number one: IPS
This use case assumes you're building a playbook that has found a malicious flow in
a network. Imagine that a vulnerability management tool, such as Qualys, has
scheduled a daily scan.
Create a placeholder
Before you begin, follow these suggestions:
Use Qualys – List Scans to get all the latest scans from Qualys (30 days hard coded).
Use the Expression Builder to extract the ID (REF) of the newest scan as placeholder to download VM scan results. VM scan results
download the relevant report.
Use the List Operations to extract the list of the vulnerabilities' identifiers that are found on the network (CVE) from the report and compare it to the CVE from the case.
Use an IPS alert to trigger the playbook.
Begin with an Active Directory_Enrich Entities action to enrich all potentially affected entities.
Use Qualys VM – List Scans to retrieve the latest scan results for the network machines.
Determine if any of the results are vulnerable to the detected flow.
Look at QualysVM_Download VM Scan Results_1. You should see the placeholder and the added Expression Builder.
Add the placeholder
To add the placeholder:
Click [ ] Placeholder. The Insert Placeholder dialog appears.
Click the Expression Builder icon; the Expression Builder screen appears.
In the Expression field, add the following: The expressions
use MAX to take the latest result by date LAUNCH_DATETIME and
then extract the specific scan ID of the relevant scan
where REF is the scan ID. Example: | max(LAUNCH_DATETIME) | REF
Click Run. The expected results should appear.
Click Insert to include the Expression Builder as part of the
placeholder.
Click Action > List operations
using CVEs from the cases + expression builder displays.
Once the playbook is triggered in real time, you can see the scan results in
the side drawer, including the specific scan as a PDF file.
Use Case number two: Too Many Failed Login Attempts
This case assumes that you had failed login attempts and you
want to figure out which department the user belongs to and when was the last
time he changed his password in order to determine the severity of the alert.
In this playbook, you are going to use Active Directory to get more
information. In the first action, you will use ActiveDirectory_Enrich
entities to find out more information on all the internal entities. In this
Insight message, you want to find out the user and the last time they logged
in.
To add these placeholders:
In the Message field, click [ ] Placeholder.
In the Insert Placeholder screen, click the Expression Builder icon
next to the ActiveDirectory_Enrich entities_JSONResult.
Add the following in the expression field: This will choose the entity
identifier. If more than one entity returned results – we
will get it as a comma separated list. | Entity
Click Run; the sample result appears. In this case,
user@domain.com.
Click Insert to use this as part of your placeholder message. Add the
relevant free text to your message.
Click the Placeholder icon [] and then click the Expression
Builder icon next to the ActiveDirectory_Enrich entities_JSONResult.
Add the following expression. This captures the last logon time of the
specified user. | EntityResult.lastLogon
Click Insert and then click Save.
Once the playbook is triggered in real time, a message on the
Insight pane appears, showing the username and last login time.
Use Case number three: VirusTotal
The action checks the reputation of the file hash on VirusTotal. In this
example, you get a report for a specific file hash. You
extract the reputation (is it known to be malicious) by a specific
scan engine. In this case, Kaspersky. Check if
Kaspersky marked the file hash as malicious and create an entity for that.
In the first action, you will use VirusTotal_Scan Hash. Now, take a
look at the next action. Siemplify_Create Or Update Entity Properties.
This creates or changes properties for an entity.Detected by Kaspersky.
To add this placeholder:
In the Field Value field, click [] Placeholder.
In the Insert Placeholder screen, click the Expression Builder icon
next to the VirusTotal_ScanHash_JSONResult.
Add the following expression: |
filter(EntityResult.scans.Kaspersky.detected, "=",
"true") | Entity
If we scanned more than one hash, it filters the results by all the entity
objects that Kaspersky marked as malicious – and then returns just the
entity name.
Click Insert and then click Save. Results will display at run time.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe Expression Builder in Google SecOps SOAR is used within Playbook actions to extract and manipulate data dynamically.\u003c/p\u003e\n"],["\u003cp\u003eIn an IPS use case, the Expression Builder is used to extract the latest scan ID from Qualys to download the corresponding vulnerability scan results.\u003c/p\u003e\n"],["\u003cp\u003eFor failed login attempts, the Expression Builder retrieves user identifiers and last login times from Active Directory to assess alert severity.\u003c/p\u003e\n"],["\u003cp\u003eWhen checking file reputations with VirusTotal, the Expression Builder filters scan results to identify files flagged as malicious by specific engines, like Kaspersky.\u003c/p\u003e\n"],["\u003cp\u003eExpression Builder, allows the use of operators such as "max" or "filter" in order to retrieve specific values from the playbook actions.\u003c/p\u003e\n"]]],[],null,["# Use cases for Expression Builder\n================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document describes use cases for building an expression in an action.\n| **Note:** Some characters in the Expression Builder, like slash (/), back slash (\\\\) or quotation marks (\") require an escape character like a back slash (\\\\) before it to return results. For example: `replace(\"\\/\",\"y\") `\n\nUse case number one: IPS\n------------------------\n\n\nThis use case assumes you're building a playbook that has found a malicious flow in\na network. \nImagine that a vulnerability management tool, such as Qualys, has\nscheduled a daily scan.\n\n### Create a placeholder\n\nBefore you begin, follow these suggestions:\n\n- Use **Qualys -- List Scans** to get all the latest scans from Qualys (30 days hard coded).\n- Use the Expression Builder to extract the ID (REF) of the newest scan as placeholder to download VM scan results. VM scan results download the relevant report.\n- Use the List Operations to extract the list of the vulnerabilities' identifiers that are found on the network (CVE) from the report and compare it to the CVE from the case.\n- Use an IPS alert to trigger the playbook.\n\n1. Begin with an `Active Directory_Enrich Entities` action to enrich all potentially affected entities.\n2. Use **Qualys VM -- List Scans** to retrieve the latest scan results for the network machines.\n3. Determine if any of the results are vulnerable to the detected flow.\n4. Look at `QualysVM_Download VM Scan Results_1`. You should see the placeholder and the added Expression Builder.\n\n### Add the placeholder\n\n\nTo add the placeholder:\n\n1. Click \\[ \\] Placeholder. The **Insert Placeholder** dialog appears.\n2. Select **Playbook \\\u003e QualysVM_list_Scans_1_JSONResult**.\n3. Click the Expression Builder icon; the Expression Builder screen appears.\n4. In the **Expression** field, add the following: The expressions use MAX to take the latest result by date `LAUNCH_DATETIME` and then extract the specific scan ID of the relevant scan where REF is the scan ID. \n Example: `| max(LAUNCH_DATETIME) | REF`\n5. Click **Run**. The expected results should appear.\n6. Click **Insert** to include the Expression Builder as part of the placeholder.\n7. Click **Action \\\u003e List operations** using CVEs from the cases + expression builder displays.\n8. Once the playbook is triggered in real time, you can see the scan results in the side drawer, including the specific scan as a PDF file. \n\n### Use Case number two: Too Many Failed Login Attempts\n\n\nThis case assumes that you had failed login attempts and you\nwant to figure out which department the user belongs to and when was the last\ntime he changed his password in order to determine the severity of the alert.\nIn this playbook, you are going to use Active Directory to get more\ninformation. \nIn the first action, you will use `ActiveDirectory_Enrich`\nentities to find out more information on all the internal entities. In this\nInsight message, you want to find out the user and the last time they logged\nin.\n\n\nTo add these placeholders:\n\n1. In the **Message** field, click **\\[ \\] Placeholder**.\n2. In the **Insert Placeholder** screen, click the Expression Builder icon next to the `ActiveDirectory_Enrich entities_JSONResult`.\n3. Add the following in the expression field: This will choose the entity identifier. If more than one entity returned results -- we will get it as a comma separated list. \n \\| Entity \n4. Click **Run** ; the sample result appears. In this case, `user@domain.com`.\n5. Click **Insert** to use this as part of your placeholder message. Add the relevant free text to your message.\n6. Click the Placeholder icon \\[\\] and then click the Expression Builder icon next to the `ActiveDirectory_Enrich entities_JSONResult`.\n7. Add the following expression. This captures the last logon time of the specified user. \\| EntityResult.lastLogon\n8. Click **Insert** and then click **Save**.\n9. Once the playbook is triggered in real time, a message on the Insight pane appears, showing the username and last login time. \n\n### Use Case number three: VirusTotal\n\n\nThe action checks the reputation of the file hash on VirusTotal. In this\nexample, you get a report for a specific file hash. You\nextract the reputation (is it known to be malicious) by a specific\nscan engine. In this case, Kaspersky. \nCheck if\nKaspersky marked the file hash as malicious and create an entity for that. \n\nIn the first action, you will use VirusTotal_Scan Hash. \nNow, take a\nlook at the next action. `Siemplify_Create Or Update Entity Properties`.\nThis creates or changes properties for an `entity.Detected by Kaspersky`. \n\n\nTo add this placeholder:\n\n1. In the Field Value field, click **\\[\\] Placeholder**.\n2. In the **Insert Placeholder** screen, click the Expression Builder icon next to the `VirusTotal_ScanHash_JSONResult`. \n3. Add the following expression: \\| filter(EntityResult.scans.Kaspersky.detected, \"=\", \"true\") \\| Entity \n\n If we scanned more than one hash, it filters the results by all the entity\n objects that Kaspersky marked as malicious -- and then returns just the\n entity name.\n4. Click **Insert** and then click **Save**. Results will display at run time.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
