Splunk Soar - Windows Remote Management - Custom C...

whill · ‎04-05-2023

Hello,

I'm trying to utilize the following script (at the bottom) in the 'Run Script' shape in the Windows Remote Management app in Splunk Soar. This shape errors out due to curly braces used in the while loop and if statement along with the parameter {0} which will represent a Windows service.

What are my options to get around the use of this curly brace? I've thought about using the custom code section, but I'm unsure how to set the script_str parameter without touching non-custom code. Attached is a screenshot detailing what I have with the custom code idea.

Script to verify the status of a Windows service, looping to check every 30 seconds for 15 minutes:

$timeout = new-timespan -Minutes 15
$sw = [diagnostics.stopwatch]::StartNew()
$status
$success=0
while ($sw.Elapsed -lt $timeout -AND $success -eq 0){
$status = Get-Service "{0}" | select -ExpandProperty status
if ($status -contains "Stopped"){
$success = 1
}
start-sleep -seconds 30
}
write-output $success

Splunk Soar - Windows Remote Management - Custom Code in Run Script Shape

troubleshooting

using SOAR ⁄ Phantom

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?