IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Artifacts extraction and creating Splunk search query

  • 1.  Artifacts extraction and creating Splunk search query

    Posted Mon April 01, 2019 09:25 AM
    Hi,
    How can we extract artifacts from an incident and create a splunk search query to return n days results against all artifacts. The artifacts can be an IP, Process name, file hash…etc. In pre processing script, artifact.value will give a single artifact details.

    Splunk search will look like "Index IN (----) artifact1 OR artifact2 OR artefact3 | table ---- ".

    Best Regards - Ragesh NR

    ------------------------------
    Ragesh N R
    ------------------------------


  • 2.  RE: Artifacts extraction and creating Splunk search query

    Posted Mon April 01, 2019 11:48 AM
    Hello,

    Thanks for contacting us.

    Currently there is a limitation of the pre-process script. You can't get all the artifacts of an incident from the pre-process script of an incident workflow. 

    There are two work arounds:
    1. Develop a function, and call the REST API from the function to get all the artifacts of a given incident.
    2. Use our fn_utilities function to call Resilient REST API. You need to make two calls for this approach, first call the session endpoint to get a token, then call the artifact endpoint to get all the artifacts. 

    Thanks,

    ------------------------------
    Yongjian Feng
    Software Engineer
    Resilient IBM
    ------------------------------

    Original Message


Related Content