From b7ec62348646c34f85db66e16e268c8d4a0d858f Mon Sep 17 00:00:00 2001 From: Pierre Penhouet Date: Thu, 17 Jul 2025 14:03:22 +0200 Subject: [PATCH] fix query to retrieved events --- playbooks/templates/add_destination_ips_to_ioc_collection.json | 2 +- playbooks/templates/add_domains_to_ioc_collection.json | 2 +- playbooks/templates/add_source_ips_to_ioc_collection.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/templates/add_destination_ips_to_ioc_collection.json b/playbooks/templates/add_destination_ips_to_ioc_collection.json index 4a35b02e..e7309c41 100644 --- a/playbooks/templates/add_destination_ips_to_ioc_collection.json +++ b/playbooks/templates/add_destination_ips_to_ioc_collection.json @@ -46,7 +46,7 @@ ] }, "arguments": { - "query": "{{ node.1.short_id }}", + "query": "alert_short_ids: {{ node.1.short_id }}", "fields": "destination.ip", "latest_time": "{{ node.1.last_seen_at }}", "earliest_time": "{{ node.1.first_seen_at }}" diff --git a/playbooks/templates/add_domains_to_ioc_collection.json b/playbooks/templates/add_domains_to_ioc_collection.json index ecb7a735..b7d0e6c5 100644 --- a/playbooks/templates/add_domains_to_ioc_collection.json +++ b/playbooks/templates/add_domains_to_ioc_collection.json @@ -46,7 +46,7 @@ ] }, "arguments": { - "query": "{{ node.1.short_id }}", + "query": "alert_short_ids: {{ node.1.short_id }}", "fields": "dns.question.name,url.domain", "latest_time": "{{ node.1.last_seen_at }}", "earliest_time": "{{ node.1.first_seen_at }}" diff --git a/playbooks/templates/add_source_ips_to_ioc_collection.json b/playbooks/templates/add_source_ips_to_ioc_collection.json index 4264151c..9c99f7bc 100644 --- a/playbooks/templates/add_source_ips_to_ioc_collection.json +++ b/playbooks/templates/add_source_ips_to_ioc_collection.json @@ -46,7 +46,7 @@ ] }, "arguments": { - "query": "{{ node.1.short_id }}", + "query": "alert_short_ids: {{ node.1.short_id }}", "fields": "source.ip", "latest_time": "{{ node.1.last_seen_at }}", "earliest_time": "{{ node.1.first_seen_at }}"