An attachement analysis is being sent to a tool that does not accept the file it is recieving.
I figured out how the variable to stop the loop but the top level loop is asking for the verdict.
How do I, in the Matching expression, say
[[#if [{{[“Submit file”].[submission].[supported_file_type]}} = false]
we don’t need a verdict
{{/if}}
{{#elseif [
{{[“Get Final File Verdict”].[verdict]}} = “Malware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Greyware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Phishing”
{{/elseif}}
or is these someother way to bypass an not found variable?
PS Please include a resource for the proper formatting of python for use in iConn.
If you want to check if a variable is set you can use
is_defined({{var}})
https://docs.rapid7.com/insightconnect/format-query-language/#functions
1 Like
Some examples in the FQL documenation would be helpful.
The below is not accepted.
is_defined({{[“Get Final File Verdict”].[verdict]}})
{{[“Get Final File Verdict”].[verdict]}} = “Malware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Greyware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Phishing”
I wouldn’t try all that in the same decision.
Make a decision that’s:
is_defined()
Then if that’s true do:
{{[“Get Final File Verdict”].[verdict]}} = “Malware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Greyware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Phishing”
This might also work for you (add AND, group the or’s):
is_defined({{[“Get Final File Verdict”].[verdict]}}) AND (
{{[“Get Final File Verdict”].[verdict]}} = “Malware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Greyware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Phishing”
)
Personally, I use if_error() constantly in decision steps to test if a variable exists and use a default if it doesn’t. if_error(variable that may not exist, default to use if it doesn’t exist) = “whatever”
Throwing my hands up here.
May I request a feature request to the Palo Wildfire plugin.
Unsupported files shouldn’t be sent to Wildfire.
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-concepts/file-analysis.html#idafc1854f-0fc2-4de1-a479-734ee56988ac
I think this is a pretty good list of what WF will accept: 7z,dll,dng,fon,lnk,ooxml,pkg,ps1,vbs,bat,docx,elf,hta,js,mach-o,pdf,pe,ppt,pptx,rar,rtf,xls,xlsx
You can check the file extension prior to submitting the file to Wildfire.
step 1: create a global artifact and put the “acceptable” extensions into it, including the . so .7z. This global artifact can be used anyplace you need to know what file types wildfire supports.
step 2: extract the file extension from the filename in your workflow (using pattern match - include the dot in your match - something like {{extension:/\.[^.]+/}}$)
step 3: do a global artifact lookup using the ‘contains’ option. Basically, you’re looking to see if the file extension is in your “approved” list.
step 4: have a decision step - if the global artifact lookup step “found” a match, run the file through wildfire, otherwise skip wildfire.
This is basically the same technique used to “whitelist” urls or domains.
It may not be 100% since I believe wildfire isn’t a simple file extension test - I think it actually looks at the format of the file name - but it gets you close.
I personally think there’s value in submitting an unsupported file to Wildfire simply because it tells you what type of file it isn’t.
You could submit everything to wildfire and use a decision point after the wildfire step to ‘normalize’ everything:
- set the wildfire step to “continue on failure”
- have a decision point checking if wildfire succeeded
- two paths: succeeded, and failed
- join step called “Wildfire Results” - with a single variable called “Verdict”
- if your decision took the “succeeded” path, the verdict is the wildfire.[verdict] variable
- if your decision took the “failed” path, the verdict is “Unsupported File”
Continue on with your workflow using the join-step output instead of the wildfire output, confident that it’ll always have a value!
This pattern is an easy way to set a “default value” in InsightConnect.