ICON decision path error

InsightConnect Workflows
1

Hello,

I’m new to ICON and I’m running into an issue with building an workflow. I’ve created a workflow that starts with an ABA trigger for all process start events. I have inserted a decision path where the hash reputation will be checked:
decision path

I’ve set the default path to ‘Malicious’ with the following expression:
(({{[“ABA Trigger”].[alert].[process].[hash_reputation].[reputation]}}=“Malicious” OR
{{[“ABA Trigger”].[alert].[process].[hash_reputation].[reputation]}}=“Suspicious”) AND
{{[“ABA Trigger”].[alert].[process].[hash_reputation].[threat_level]}}=“Critical”)
OR
(({{[“ABA Trigger”].[alert].[parent_process].[hash_reputation].[reputation]}}=“Malicious” OR
{{[“ABA Trigger”].[alert].[parent_process].[hash_reputation].[reputation]}}=“Suspicious”) AND
{{[“ABA Trigger”].[alert].[parent_process].[hash_reputation].[threat_level]}}=“Critical”)

When I run test the workflow, it runs fine when I set the hash reputation to ‘malicious’. But when I leave it blank or set it to ‘known’ I receive the following error:
error

I think I’m missing a step here but I can’t seem to figure out what.

2

The variable reputation wasn’t defined generally means it doesn’t exist.

If you create a workflow that captures ABA process start events and look at the data that comes through in the trigger are those values always present?

I have a workflow that captured a process start event from the ABA trigger and Parent Process does not have a reputation value. Only Process does.

So you need to account for the scenario where a variable may not exist. is_defined helps with this.

If your goal is to set Malicious as default then you do not need to create the logic for what is malicious. You need to create the logic for what is not malicious.

1 Like
3

Two things:

  1. you might need to first check if the member is present
    is_defined({{[“ABA Trigger”].[alert].[process].[hash_reputation].[reputation]}})

  2. I’m not sure if AND and OR work, I always use && and ||

4

using is_defined to first check if the member is present was the solution.
Thank you @brandon_mcclure !!!