Break or Decision step referencing a variable that is nevere created

heather_hall · March 24, 2021, 11:33pm

An attachement analysis is being sent to a tool that does not accept the file it is recieving.
I figured out how the variable to stop the loop but the top level loop is asking for the verdict.

How do I, in the Matching expression, say
[[#if [{{[“Submit file”].[submission].[supported_file_type]}} = false]

we don’t need a verdict
{{/if}}

{{#elseif [
{{[“Get Final File Verdict”].[verdict]}} = “Malware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Greyware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Phishing”
{{/elseif}}

or is these someother way to bypass an not found variable?

PS Please include a resource for the proper formatting of python for use in iConn.

philipp_behmer · March 25, 2021, 10:38am

If you want to check if a variable is set you can use

is_defined({{var}})

https://docs.rapid7.com/insightconnect/format-query-language/#functions

heather_hall · March 30, 2021, 6:05pm

Some examples in the FQL documenation would be helpful.
The below is not accepted.

is_defined({{[“Get Final File Verdict”].[verdict]}})
{{[“Get Final File Verdict”].[verdict]}} = “Malware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Greyware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Phishing”

joey_mcadams · March 30, 2021, 6:22pm

I wouldn’t try all that in the same decision.

Make a decision that’s:

is_defined()

Then if that’s true do:

{{[“Get Final File Verdict”].[verdict]}} = “Malware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Greyware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Phishing”

This might also work for you (add AND, group the or’s):

is_defined({{[“Get Final File Verdict”].[verdict]}}) AND (
{{[“Get Final File Verdict”].[verdict]}} = “Malware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Greyware”
OR
{{[“Get Final File Verdict”].[verdict]}} = “Phishing”
)

elijah_martin-merrill · March 30, 2021, 6:19pm

Personally, I use if_error() constantly in decision steps to test if a variable exists and use a default if it doesn’t. if_error(variable that may not exist, default to use if it doesn’t exist) = “whatever”

heather_hall · March 30, 2021, 7:13pm

Throwing my hands up here.
May I request a feature request to the Palo Wildfire plugin.
Unsupported files shouldn’t be sent to Wildfire.
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-concepts/file-analysis.html#idafc1854f-0fc2-4de1-a479-734ee56988ac
I think this is a pretty good list of what WF will accept: 7z,dll,dng,fon,lnk,ooxml,pkg,ps1,vbs,bat,docx,elf,hta,js,mach-o,pdf,pe,ppt,pptx,rar,rtf,xls,xlsx

elijah_martin-merrill · March 30, 2021, 7:50pm

You can check the file extension prior to submitting the file to Wildfire.

step 1: create a global artifact and put the “acceptable” extensions into it, including the . so .7z. This global artifact can be used anyplace you need to know what file types wildfire supports.
step 2: extract the file extension from the filename in your workflow (using pattern match - include the dot in your match - something like {{extension:/\.[^.]+/}}$)
step 3: do a global artifact lookup using the ‘contains’ option. Basically, you’re looking to see if the file extension is in your “approved” list.
step 4: have a decision step - if the global artifact lookup step “found” a match, run the file through wildfire, otherwise skip wildfire.

This is basically the same technique used to “whitelist” urls or domains.

It may not be 100% since I believe wildfire isn’t a simple file extension test - I think it actually looks at the format of the file name - but it gets you close.

I personally think there’s value in submitting an unsupported file to Wildfire simply because it tells you what type of file it isn’t.
You could submit everything to wildfire and use a decision point after the wildfire step to ‘normalize’ everything:

set the wildfire step to “continue on failure”
have a decision point checking if wildfire succeeded
- two paths: succeeded, and failed
join step called “Wildfire Results” - with a single variable called “Verdict”
- if your decision took the “succeeded” path, the verdict is the wildfire.[verdict] variable
- if your decision took the “failed” path, the verdict is “Unsupported File”
  Continue on with your workflow using the join-step output instead of the wildfire output, confident that it’ll always have a value!

This pattern is an easy way to set a “default value” in InsightConnect.