Loop Use Cases

foreach loops iterates through a list by repeating an array across one or more action scenario filter phishing emails, loop, parse, enrich, and aggregate results zareen is an orchestrator who needs to send a slack message to her team with the list of iocs from phishing emails there are a few ways to accomplish this, but zareen wants to use the foreach loop feature to iterate through the list by repeating an array across several actions zareen uses the gmail list emails action and google workspace asset to ingest emails then she creates the loop action zareen gives the foreach loop a title and configures her actions she filters for emails with “phishing” in the body of the email, parses the iocs from those emails, and enriches the data using a virustotal action after, she’ll aggregate the verdict within the foreach loop and pass the results to the final action and broadcast a message via slack let’s take a look! first, zareen refers to the use case on how to install and configure the google workspace connector next, she needs to use the swimlane content to install a vic for later use in the playbook she searches and installs the get enrichment from virustotal vic from the swimlane content from the playbook, add the get emails gmail action and configure with your microsoft gmail asset to add credentials, delegate account, and userid information after applying the changes, zareen wants to create her foreach loop click the on success action flow and add the loop action zareen's ready to configure the foreach loop with downstream actions to return emails with phishing in the body, she adds the ioc parser action and configures another property scroll through the properties, and click the + include icon for text body property it moves to the top of the inputs in the text body field, click select a property , then click expression enter $actions filter emails phishing result text body and click apply to get an observable array, zareen needs to use python to retrieve complex data she selects the transform data action, then switches to advanced mode, and changes the title to reflect the block action find ioc results enter the following code and apply changes ( $object = actions find iocs result; $result = $sift($object, function($v, $k) { $k != "body regex results" }) >$each(function($v, $k) { $v {"type" $k, "value" $}\[] }) >$reduce(function($x, $y) { $append($x, $y) }, \[]); $result ? $result \[] ) add the get enrichment from vt vic to configure the vic, open the get enrichment from virustotal playbook, then click the search action verify the url and api key are configured in the vt asset now for the final in loop action zareen wants to publish the enriched aggregated results into a slack message she uses the transform data action and switches to the advanced mode she changes the title to reflect the block action aggregate verdict enter the following code and apply changes actions enrichment from vt published the last action takes place outside the foreach loop zareen is ready to send the aggregated results as a message via slack click the foreach loop box to highlight the action flow icon displays zareen selects the on success action flow, then adds her final action add the broadcast message action the aggregated foreach loop results only come from the last action in foreach loop, so zareen is finished the message of iocs from phishing emails will be sent in a slack message conclusion zareen successfully used loops, transform data actions, and an enrichment vic to save time ingesting, filtering, and enriching data to identify and reduce mttr for phishing emails