Custom Scripts Overview for FSO

In this installment of the Tips and Insights series, Mohammad Anwar gives a brief overview of customs scripts that can be used in the FireEye Security Orchestrator (FSO).

Hi my name is Mohammad Anwar and I’m a Security Integration Engineer on the Orchestration Architecture team with FireEye. Today I’ll give you an overview of custom scripts for the FireEye Security Orchestrator. I’ll be going over what custom scripts are, how to create them, the inputs and the outputs and then a demonstration where we can execute the script text to show you the flow. Custom scripts are modules that use javascript code in the playbook that can take input as command results. These custom scripts allow you to alter the variables and the data within the playbook without having to use a plugin. This is especially useful for when you have data coming out of a plug in command and need to format it before using it as an input for another plug in command. In order to create a custom script we must first use it in a playbook. So let’s go ahead and use a playbook that already exists and for this purpose will be using the demo playbook.

The problem that setup here is we’re getting a DHCP by hostname and the return type will be a string. However the input for this next command is a MAC address and we can see that they’re not aligning and it’s saying data is invalid.

In order to resolve this we’ll be creating a custom script that would be in between these two that would convert the string to a MAC address.

In order to do that well append a new task and put it in between these two.

And we would select ‘script task’ in the dropdown. Go to custom script and you can go ahead and name this.

Write a short description.

Go ahead and save it.

Now we can go ahead and edit the script.

Since the return type for the first command will be a list. We’re gonna set it as a list input and since the output we just want a similar output we would just set it to empty string and then the main function we would then just type ‘ equals’ and then select that first element. Go ahead and click save and for the input we want to select that is a list and for the output we want to change it from string to a MAC address type and since it’s not a list we’ll just leave that alone.

Go ahead and save the script.

Now we can alter the downstream command to get the input from our custom script and we can see that it is a MAC address type and once we hit save we can see that it’s valid input and we can go in and publish the playbook.

Now that the playbook is published, we can go ahead and run the activities. Run the playbook activities and we can do this by sending a message and we can refresh this to make sure that it comes in and we can see that it did come in and we can see that the DHCP returned four results.

The custom script then took that result and took the first element and changed it to a MAC address and fed it to the ‘get host by Mac’ command and we can see the result of the ‘get host by Mac’ command here.

This concludes the overview for custom scripts in FireEye Security Orchestrator. I hope this overview gives you an understanding of custom scripts and how to use them in FSO. Thank you for taking the time to check out our plugin overview series and stay tuned for more FireEye Tips and Insights.

Scroll to Top