IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Enhance IOC Parser Function and add results in Notes and Artifact Description

  • 1.  Enhance IOC Parser Function and add results in Notes and Artifact Description

    Posted Mon August 26, 2019 11:44 AM
      |   view attached
    Prerequisit : have the IOC Parser Function v2 integration installed and configured  Link to App Exchange
    Purpose : Enhance the standard information given by this integration in Artifact Description & Note
    and add a search button action on a Malware Sample artifact type.
    Changes :
    • New Rule Extract IOCs (Artifact) and Extract IOCs (Attachment)
    • New Workflows
      • Extract IOC from this Artifact as duplicate of the Example: Parse IOCs (Artifact) with changes in post process scripts
      • Extract IOC from this Attachment as duplicate of the Example: Parse IOCs (Attachment) with changes in post process scripts
    Results in Note:

    and in Artifact description:

    Attached is the res file to import this configuration.
    Feel free to use, change, adapt this code to your usage.

    Building the res file:
    resilient-circuits extract --workflow "parse_iocs_attachment" "parse_iocs_artifact" --rule "Extract IOCs (Artifact)" "Extract IOCs (Attachment)" -o config_IOC.res --zip



    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Attachment(s)

    zip
    config_IOC.res.zip   15 KB 1 version


  • 2.  RE: Enhance IOC Parser Function and add results in Notes and Artifact Description

    Posted Fri January 10, 2020 12:06 PM
    Has anyone increased the usability of this function by adding the ability to parse the incident notes field as well as an attachment or artifact?

    ------------------------------
    Ryan Terry
    ------------------------------

    Original Message