This post is the 2nd part, of a two-part use case on Grid Field in SOAR, written by our SOAR expert Ben Aviv. For reading the first part, please click here.
Some use-cases require the analysts to add or update external DB entries, for example blacklisting the incident offender in an external system.
One of Cyray’s developments is using the grid field to mirror a DB entry. We use hard-coded SQL queries with several changes that enable us to reflect the whole DB table.
What will you need to make it work:
- A working integration of SQL query
- A grid field that reflects the DB table entry’s fields
- Automation that performs the actual mirror action
- A button that executes the automation
So how does it work?
Let’s take, for example this grid field:
When you add an entry to the grid field and click the button, the automation takes the content of the grid field and does the following:
- It runs a SQL query with the key fields (for example, first name and last name).
- If the response is empty, the automation will add a new entry to the DB table, including the user that clicked the button, creation time and description of which incident the entry is related to.
- If the response is not empty, it means that there is already an entry with this data (first name and last name, in our example) so the automation sends an “UPDATE” query to update the value fields of the entry (Age, for example), and other params, like “Last Modified” and the user that update the entry.
- Finally, it runs the first query to get the new or updated entry and set the data in the grid field.
The grid field and button:
The Button Configuration:
To see the full script click the button