You can create a script to apply a list of tags to indicators that are found.
This example automation applies fromdate, todate and query tags to found indicators.
Use the basic automation template to create the following code.
The
fromdate,todateandqueryfields are specified in the parameters dictionary to the indicatorfindParamcommand.The
demisto.executeCommand()function returns the list of indicators that match the request.Each indicator is looped through creating the body for the request to the Cortex XSOAR API, including the tags in the
CustomFieldsfield of the dictionary.The Cortex XSOAR API is invoked to apply the tags to each indicator.
def main():
try:
findParam = {
'fromdate':"2021-10-27T15:00:00+07:00",
'todate': "2021-10-28T15:00:00+07:00",
'query': "type:file"
}
results = demisto.executeCommand("findIndicators",
findParam)[0]['Contents']
newtags =["newtag"]
for indicator in results:
indId = indicator['id']
body = {
'CustomFields': {'tags': newtags},
'id': str(indId),
'indicator_type':indicator['indicator_type'],
'value': indicator['value']
}
demisto.executeCommand("demisto-api-post",
{'uri':"/indicator/edit", 'body':body})
except Exception as ex:
demisto.error(traceback.format_exc())
return_error("Failed to update indicators: " + str(ex))
if __name__ in ('__main__', '__builtin__', 'builtins'):
main()