IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to change incident context to write to multiple incidents within scripts?

    Posted Mon July 29, 2019 01:39 PM
    Hello,
    I have a use case where I do the following:
    1) Create an artifact "Parent Incident" with value 1234
    2) A rule sees new artifact "Parent Incident" with value 1234
    3) Script "Script Parent Incident Add" will then do the following - 
      i) Fill in incident.properties.custom_parent_field = '1234'
      ii)Fill in incident.properties.custom_child_fileld in incident = '1234' with current incident.id****

    **** -> This is the part I can not do since the incident.id field is read only. Is there anyway to change the incident context so that I'm able to modify multiple incidents within a script? I tried to use 'import resilient', but that is an illegal import (BTW - is there any documentation for what is an allowed import?)

    This use case is specifically to create a hierarchal relationship between incidents as parent/child rather than rely on relationships via artifacts.

    ------------------------------
    Phillip Lee
    ------------------------------


  • 2.  RE: How to change incident context to write to multiple incidents within scripts?

    Posted Mon July 29, 2019 02:55 PM
    Edited by Jared Fagel Mon July 29, 2019 02:59 PM
    Limitations to the scripts are documented here (re and the Java class java.util.Date are the only allowed imports).

    You cannot modify other incidents within a script. I posted an idea that I think this might fall under here.

    Ideally, the way to do this would be to use the query_builder like so:
    parent_query = query_builder.contains(fields.incident.id, '1234').build()
    children_query = query_builder.contains(fields.incident.properties.custom_parent_field, '1234').sortByAscending(fields.incident.id).build()
    parent_incident_results = helper.findIncidents(parent_query)
    child_incidents_results = helper.findIncidents(children_query)

    if len(parent_incident_results) == 1:
       parent_incident = parent_incident_results[0]
       # ... do something with parent_incident here ...
    Unfortunately, this is a read-only object right now

    if len(child_incidents_results ) > 0:
       for child in child_incidents_results:
           # ... do something with child incident of the parent here ...
           # Unfortunately, this is a read-only object right now

    ​​​As I mentioned in the comments in the above code, the incidents returned by findIncidents() is read-only. This is documented here.

    ------------------------------
    Jared Fagel
    Cyber Security Analyst Intern
    Public Utility
    ------------------------------

    Original Message


  • 3.  RE: How to change incident context to write to multiple incidents within scripts?

    Posted Mon July 29, 2019 03:19 PM
    Thanks Jared - I figured as much, but hoped for something.  Doing something like this via the API appears to be straight forward but doing it via scripts seems like you can't. Is there a way to roll this into a custom action?  The way the custom action works in my head would be:
    1) Rule fires for artifact type rule, opens custom action
    2) Custom action gets artifact context, incident context
    3) Custom action also uses resilient API to get context of another incident to edit

    I haven't worked enough with custom actions to know if this something that can be achieved though.

    ------------------------------
    Phillip Lee
    ------------------------------

    Original Message


  • 4.  RE: How to change incident context to write to multiple incidents within scripts?

    Posted Mon July 29, 2019 03:43 PM
    This sounds like an easy python function to create and wrap into a workflow with an automatic rule.

    I don't exactly understand what you hope to do with it, but you can pass any fields you want into the function as input (like incident.id), and then do about whatever you want via the Resilient REST API.

    See the interactive API and it's documentation in your Resilient instance: 
    https://your_resilient_url/docs/rest-api/ui/index.html

    You'd do the Resilient REST API interactions via the "requests" module for Python.
    Tutorial: https://www.geeksforgeeks.org/get-post-requests-using-python/

    ... or by using the useful but poorly documented "resilient" Python module (which is a wrapper over the REST API).
    See: https://github.com/ibmresilient/resilient-python-api/blob/master/README.md



    ------------------------------
    Jared Fagel
    Cyber Security Analyst Intern
    Public Utility
    ------------------------------

    Original Message


  • 5.  RE: How to change incident context to write to multiple incidents within scripts?

    Posted Tue July 30, 2019 11:18 AM
    Hey Jared,
    Creating a custom python function is something I likely have to do.  I mainly wanted to see if I could accomplish what I wanted via Resilient's platform of functions/scripts/message destinations, but like you already mentioned, this doesn't seem like a thing thats possible right now. 

    I'll plan on leveraging the resilient-circuits framework or the API to create the custom actions script needed.  Thanks for your help!

    -Phil

    ------------------------------
    Phillip Lee
    ------------------------------

    Original Message


Related Content