Scripts

as analysts and security professionals, you have knowledge on writing simple scripts in python and while turbine allows you to write more complex code with jsonata, you can also use a native action for simple functions for boolean and null data types, we recommend importing json and using json loads(\<my ref>) to ensure the data loads correctly since all playbook data is json and python does not support all json types natively use the controlled script native action and write with python to manipulate data and edge cases reduce complexity used with jsonata use the most common programming language in security today to do simple tasks turbine uses python 3 11 and accesses all the standard libraries that come with python, including the python standard library https //docs python org/3 11/library/index html you can also use numpy https //numpy org/doc/stable/index html version 1 25 2, and pendulum https //pendulum eustace io/ version 2 1 2 when configuring inputs, consider using the swimlane python chatbot, which uses chatgpt's open ai to help you formulate transformations and customized python code see using the swimlane python chatbot docid\ lowzh sta55hi muzxryb for information script native action set up time to start basic set up for the script native action you have already created a playbook, and you are ready to manipulate data from a property from your playbook, click add an action from the action panel, click the action drop down menu select script , then click configure the script window opens the script window has three tabs script, outputs, and test the script tab has the inputs pane (on the left side) and the script pane (on the right side) script inputs with the script native action, you can build and map static and playbook property data inputs to reference data in the python script native action the current playbook properties you can add are string number boolean object array attachment before you can test, set up your script inputs let's take a look at a quick example on how to set up inputs and use the script pane the script pane shows helpful information, such as restrictions, available global variables, and a link to the swimlane turbine user guide from the script tab, on the inputs pane, click add property to define inputs including any sub input properties they may have click the pencil icon to edit the name of the property in the example image, you can see a numeric input with a virustotal property mapped to it write your code in the script pane on the right in the example image, the python script obtains the last malicious score input, verifies whether it meets the malicious score threshold, and assigns the result great! you have entered the inputs and python script script output tab outputs tab allows you to select all outputs provided by the action and you can promote them the output tab also allows you to mark the data as sensitive you can promote the action output by clicking promote button next to the action type from the action outputs list the promoted output action is displayed in the promoted playbook outputs section you can remove the promoted output by clicking the remove button next to the promoted output marking data as sensitive you can mark the promoted data as sensitive so that it is encrypted or it is not visible to mark the data as sensitive, click mark as sensitive option next to the promote button in the action output list you can remove data as sensitive by clicking marked as sensitive script testing want to test your script action before continuing to build your playbook? in the script action, from the test tab, you can view inputs to the left and script to the right you will notice that "attachment" fields are not shown in the test tab inputs attachments currently cannot be used in test runs of the action, you will have to do a full playbook test to test attachment inputs the result pane at the bottom shows the tested results just like discovered outputs and testing docid\ xdoxji82d8iulanf8c34h in an http action, results vary so in addition to the base of property types, and depending on the inputs you select, the action outputs may return additional properties these are the discovered outputs, which you can promote and/or delete from the outputs tab see a script test use case docid\ zrzcp0gr12dfzzkb risd for an example on testing the script native action script attachment if you need to return an attachment or use an attachment as an input in the script native action, follow the instructions below output attachment in your playbook, follow the instructions below to configure an output attachment from the action drop down menu, select script let's title this action return attachment and click configure there are two ways to write python code to return an attachment let's look! under script, enter the following code with output attachment open("test txt") as f f write('test') action outputs = {'first file' f} the test txt placeholder is the name of your attachment you can also write the code as follows second file = output attachment open('test2 txt') second file write('test2') action outputs\['second file'] = second file click apply to save changes input attachment you can use an attachment input in a python script using a script native action from the action drop down menu, select script let's title this action input attachment and click configure click add property and select attachment you can click the pencil icon to edit the name for example, you can change the name to file1 click select a property and select playbook property the playbook property drawer opens and based on the example, you would select the object for first file then return to inputs and repeat steps 4 and 5, but add the object for second file under script, enter the following code with action inputs\['file1'] open() as file1 action outputs\['file1 text'] = file1 read() action outputs\['file1 size'] = file1 size() action outputs\['file1 mimetype'] = file1 mimetype() you can get the size of the attachment using the size() method, and you can get the mime type of the attachment using the mimetype() method both are shown in the code above you can also write the code as follows file2 = action inputs\['file2'] open() action outputs\['file2 text'] = file2 read() file2 close() click apply to save changes now both files are mapped use case see a script test use case docid\ zrzcp0gr12dfzzkb risd for an example on testing the script native action