IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Issue with FireEye HX: Create Indicator function not returning UUID in IBM SOAR Playbook

  • 1.  Issue with FireEye HX: Create Indicator function not returning UUID in IBM SOAR Playbook

    Posted 5 days ago

    Hi All,

    I am encountering an issue while developing a playbook in IBM SOAR for FireEye HX integration. The playbook is designed to perform hash blocking using the following two functions in sequence:

    1. FireEye HX: Create Indicator

    2. FireEye HX: Append Conditions

    The purpose of the playbook is to first create an indicator and then append a hash condition to it. However, the issue is that the Create Indicator function does not seem to return a valid UUID (uri_name) in the results, even though the function executes without any explicit error.

    Below are the details of the implementation:

    Script after "FireEye HX: Create Indicator" function

    # Get the results from the FireEye HX: Create Indicator function
    results = playbook.functions.results.fireeye_hx_create_indicator_result

    if results and results.data and results.data.uri_name:
        indicator_uuid = results.data.uri_name
        playbook.functions.set("indicator_uuid", indicator_uuid)
        incident.addNote(f"FireEye HX Indicator created with UUID: {indicator_uuid}")
    else:
        incident.addNote("Error: Create Indicator failed - no UUID generated")

    Updated script (tried for troubleshooting)

    import json

    # Get the results from the FireEye HX: Create Indicator function
    results = playbook.functions.results.fireeye_hx_create_indicator_result

    try:
        data = results.get("content", {}).get("data", {})
        indicator_uuid = data.get("uri_name")

        if indicator_uuid:
            playbook.functions.set("indicator_uuid", indicator_uuid)
            incident.addNote(f"✅ FireEye HX Indicator created with UUID: {indicator_uuid}")
        else:
            incident.addNote(f"⚠️ No UUID found in function output.\n\nFull output:\n{json.dumps(results, indent=2)}")

    except Exception as e:
        incident.addNote(f"❌ Error processing FireEye HX Create Indicator result: {str(e)}\n\nRaw results:\n{json.dumps(results, indent=2)}")

    Regardless of the script used, the output note always shows:

    "Error: Create Indicator failed – no UUID generated."

    This indicates that the function is not returning the expected uri_name field in the result data, which prevents the playbook from proceeding to the next step (FireEye HX: Append Conditions).

    I would appreciate your assistance in reviewing this behavior and advising if:

    • what would the possible value for the mandatory field in FireEye HX: Create Indicator function i.e. ( fireeye_hx_indicator_uri_category )

    • There is any known issue with the FireEye HX: Create Indicator function not returning a UUID.
    • A workaround or patch exists to properly retrieve the indicator UUID from the function output.

    • Any configuration or permission setting on the HX server side could cause this missing UUID behavior.

    Your assistance required in this mannar to get the possible resolution and workaround for this

    Regards,

    Farrukh Majid.
    Infromation Security Consultant.



    ------------------------------
    Farrukh Majid
    ------------------------------


Related Content