TIM - Process Indicators Against Approved Hash List

This playbook checks if file hash indicators exist in a Cortex XSOAR list. If the indicators exist in the list, they are tagged as approved_hash.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

This playbook does not use any integrations.

Scripts

  • FilterByList
  • SetAndHandleEmpty

Commands

  • appendIndicatorField

Playbook Inputs


NameDescriptionDefault ValueRequired
ApprovedHashListA Cortex XSOAR list containing approved hash values. Hash indicators that appear in the list are tagged as approved.Optional
Indicator QueryIndicators matching the indicator query will be used as playbook inputOptional

Playbook Outputs


PathDescriptionType
HashesInApprovedListFile hashes that are found in the approved_hash list.string
HashesNotInApprovedListFile hashes that are not found in the approved_hash list.string

Playbook Image


Playbook Image