In this installment of the Tips and Insights series, Richard Ignacio explains how to read items found within the FireEye Security Orchestration (FSO) queue.
Hi my name is Richard Ignacio and I’m the Senior Manager of the Orchestration Architecture team with FireEye. In another video tip I demonstrated how to add an item to the queue, in this video I will demonstrate how to read those items from the queue. The first step is we need to create an adapter that we’re going to use as a start event. So let’s go to adapters and create an adapter. In this case I’ve already created an adapter and named it ‘queue read adapter’. The ‘queue read adapter’ uses the ‘get queue items adapter’ command. If we look at that you’ll see that the limit is set for ’10’, the case output is for ‘multi-case’, and everything else is at the defaults.
Now that this interval adapter has been created, let’s take a look at the playbook.
The playbook we’re going to use for this is named ‘read items from queue’. If we examine that, the start event uses the ‘queue read adapter’ that we created.
The next step is just to update the case with a new name.
So, now let’s go ahead and execute this playbook and let’s see what happens.
As you can see, three new cases came up here but we’ll just use one of them and take a look at that.
If we look at the detailed view of that case and we look at the start event you’ll see that it retrieved one item from the queue. You’ll see the data that we put in there and then the record I.D. that is associated with that item.
This concludes the demonstration for ‘reading items from the queue’. I hope this demonstration helped you understand how to use the queue plugin to read items from a queue. Thank you for checking out our channel and a stay tuned for more FireEye Tips and Insights.