Skip to main content

Hi folks,

I am developing a custom integration and have an action that takes a single IP address as an input and makes certain API calls and fetches detailed information about this IP.

While integrating this action in a playbook, I noticed a use-case, that probably needs to be handled.

Suppose, my action is a part of a playbook, that furthers gets run for a case, where I have multiple events. Each event in the case has a unique Source IP Address. In the action step in the playbook, the input parameter is passed as [Event.sourceAddress], then which event's IP Address would be considered ?

Also, I assume IP address of only one of the many events will be considered, then what should I do to run this action for all the Source IP addresses of all the events in the case ?

Hope the use-case is clear.

Thanks.

Hi Preet,

Event placeholders will take into account the re-occurance of fields within events, and provide you with a csv of distinct values.

For example: I have two events in an alert - one with 1.1.1.1, as a destination_address, and one with 2.2.2.2,

The Event place holder [Event.destination_address] would output 1.1.1.1,2.2.2.2.

Some actions work with CSV's and some do not - on occasion we've had to select one of them to perform actions on - however if you are writing you're own custom integration it should be trivial to expand this out into handling the csv and performing lookups on all IP's. You can then output them as part of the JSON result and use them in views etc.

Cheers

Kyle

Hi @KyHud 
Thanks for the response.

I just tested your example and it works exactly the way you mentioned. I get the result in a comma-separated fashion and now I can implement my action according to this behaviour.

Thanks.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.