Forum Discussion
akshay250692
Aug 10, 2022Brass Contributor
Playbook is not running
Hi Team, Please help me to resolve this issue. We have created one playbook for outbound traffic to ThreatIntel. But after sometime it is giving blank excel sheet. Before it provide 2-3 times result...
akshay250692
Brass Contributor
where we hv to add these line because expression getting failed
Clive_Watson
Aug 11, 2022Bronze Contributor
Here you can see the two lines above the arrow that match you query, then you can add either of my suggestions where the arrow is. Later lines will fail as the columns needed wont be there so, you should removed for testing lines after the join
I'd do some testing with a reduce set of KQL, something like this to get this section optimized
let deviceIP = dynamic (['fakeComputer']);
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor =~ "Palo Alto Networks" and DeviceProduct =~ "PAN-OS" //and Activity =~ "traffic"
| where DeviceAction !in ("reset-both", "deny", "reset-server", "reset-client")
//| where DeviceCustomString5 in~ ("outside","Outside","Outside-ISP2", "untrust", "PRISMA_INSIDE")
| where Computer !in (deviceIP)
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
// use this
//| summarize count(), make_set(SourceIP) by Computer, DeviceAction, bin(CommonSecurityLog_TimeGenerated,1d)
//or maybe this
| summarize count(), make_set(SourceIP), arg_max(CommonSecurityLog_TimeGenerated, Computer) by DeviceAction
- akshay250692Aug 11, 2022Brass Contributormy requirement is match the destination ip which is common in watchlist fw and ThreatIntelligenceIndicator. If i remove the after the join operator then how it will match. i hv to match common security log with ThreatIntelligenceIndicator table. Playbook name is "OutboundTraffictoThreatIntelIPsReport"
- Clive_WatsonAug 11, 2022Bronze ContributorI was only suggesting to remove this for "testing" / short term, as when you summarize the columns needed by any extend or project will be removed or renamed, so you need to know what to add back
e.g. just remove this until you are happy its working then slowly add it back (often you dont need to project if you have previously used summarize)
| project TrafficTimestamp = CommonSecurityLog_TimeGenerated, SourceIP, SourceTranslatedAddress, Source_Port=strcat(SourcePort), SourceUserName, DestinationIP, Destination_port=strcat(DestinationPort), ApplicationProtocol, Firewall_Action = DeviceAction, Packets= DeviceCustomNumber2, Rule= DeviceCustomString1, Firewall =Computer, IOC_Tag = Tags, IOC_Expiration = ExpirationDateTime, IOC_Source = Description- akshay250692Aug 11, 2022Brass Contributorthe query is running only for single workspace not for all simultaneously but still we r not getting any result. So i think i have to create this playbook for all region separately as already gary told.