discuss.rapid7.com Open in urlscan Pro
34.230.121.13  Public Scan

Form analysis
1 forms found in the DOM

POST /login

<form id="hidden-login-form" method="post" action="/login" style="display: none;">
  <input name="username" type="text" id="signin_username">
  <input name="password" type="password" id="signin_password">
  <input name="redirect" type="hidden">
  <input type="submit" id="signin-button" value="Log In">
</form>

Text Content

 * Library
 * Toolkits
 * Discuss
 * Leaderboard
 * Contribute

Skip to main content

Log In
 * 
 * 
   





REMOVING BRACKS IN IOC IP/URL

InsightConnect
InsightConnectworkflow-building

You have selected 0 posts.

select all

cancel selecting

Jul 21
1 / 5
Jul 21

17h ago

Sean
4d


I am working on a work a threat hunting workflow that will pull down IOCs from
different locations (e.g. github, Rapid7 blog, etc) and I was wondering what was
the best way to handle the brackets that are added to an IP address and domains.
For example, 192.168.13.13 would be posted as 192.168.13[.]13 and
somerandom.site.com would be posted as somerandom.site[.]com.

I have not found a plug-in that would allow me to easily do this and I was
wondering how others were doing this. Is this going to need a script or regex
black magic created in a snippit?

Thanks,
Sean

Solved by Eric Wilson in post #3


> You can also loop through the IOCs and use the String operations plugin to do
> the replacements if you don’t want to use the Python plugin.




41 views


Sean
2d


I created a loop that runs the following python script called
desanitizer-script:

> def run(params={}):
> sanitized_address = params.get(‘uri’)
> return {“address”:sanitized_address.replace(‘[.]’, ‘.’)}

The input for the function is defined as:

> {“uri”:“{{["desanitize-uri-loop-main"].[$item]}}”}

I add the script output to an array created for the loop’s output:

> {{[“desanitizer-script”].[address]}}

To address the possibility of an error I include the following for “Only include
if…”

> {{[“desanitizer-script”].[$success]}}




Eric WilsonMoose
1d


You can also loop through the IOCs and use the String operations plugin to do
the replacements if you don’t want to use the Python plugin.

Rapid7 Extensions


RAPID7 EXTENSIONS

Discover Extensions for the Rapid7 Insight Platform



2 Replies
Solution
1


Sean
Eric Wilson
17h


Oh, that is nice! I think I will switch over to that instead as can be used in
the cloud and not on my orchestrator.

Thanks for telling me about this!




Sean
Eric Wilson
17h


While both of our posts work, I am marking yours as the solution since it is
easier to use and requires less work on the back end.







Reply



NEW & UNREAD TOPICS

Topic list, column headers with buttons are sortable. Topic Replies Views
Activity No easy way to update Teams trigger connection?
InsightConnect
4 254 May 7 Problem with specific Teamviewer API call from workflow
InsightConnect
workflows
0 174 May 21 Reset password upon suspicious alert
InsightConnect
3 350 Feb 12 Does any workflow available for disabling users in active directory
when the detection rule Suspicious authentication Non-approved country triggered
InsightConnect
1 287 Apr 17 Timeout Error
InsightConnect
advanced_regex
0 105 17d


WANT TO READ MORE? BROWSE OTHER TOPICS IN INSIGHTCONNECT OR VIEW LATEST TOPICS.




Powered by Discourse




Invalid date Invalid date