IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Manipulate a data table from scripts

    Posted Tue April 14, 2020 05:01 PM
    Hi,

    I want to create an action that manipulate data table. Is it possible to do that from script? Any document or example would be appreciated. 

    Best
    Jasmine

    ------------------------------
    Jasmine
    ------------------------------


  • 2.  RE: Manipulate a data table from scripts

    Posted Wed April 15, 2020 05:03 AM
    There are multiple examples you can look at in OOTB integrations from the App Exchange

    example of creating a new line in a table from artifacts action
    # Add Deleted Artifact in Table

from java.util import Date

dt = incident.addRow("deleted_artifacts")
dt.artifact_id = artifact.id
dt.type = str(artifact.type)
dt.value = str(artifact.value)
if artifact.description is None:
  dt.description = ""
else:
  dt.description = str(artifact.description["content"])
dt.comments = "Deleted the {}".format(Date())


    modify a value in a table from a table action : 

    # Add Deleted Artifact in Table

from java.util import Date

low_text = "{} \n Original ID {} {} \n Pushed back to Artifact the {}".format(row.description["content"], row.artifact_id, row.comments["content"], Date())
row.comments = "{} \n Pushed back the {}".format(row.comments["content"],Date())

incident.addArtifact(str(row.type), str(row.value), str(low_text))



    From PIPL integration : loop in the JSON "results" from the integration to create line in a table and add results
    Additionally add a comment on the artifact description and a more precise comment in notes, or transfer this note comment to an integration that came after using workflow properties

    from java.util import Date

def add_row_to_pipl_datatable(db_timestamp, db_artifact_value, db_match_no, db_property, db_value, db_match, db_inferred):
  pipl_person_data = incident.addRow("pipl_person_data")
  pipl_person_data.pipl_timestamp = db_timestamp
  pipl_person_data.pipl_artifact_value = db_artifact_value
  pipl_person_data.pipl_possible_match_no = db_match_no
  pipl_person_data.pipl_property = db_property
  pipl_person_data.pipl_value = db_value
  pipl_person_data.pipl_match = db_match
  pipl_person_data.pipl_inferred = db_inferred

if results.success:

  # Create a datatable from pipl response
  possible_person_counter = 0
  for person in results.person_list:
    
    # generate result_id and timestamp
    possible_person_counter += 1
    now = Date()
    
    # 0-1. The level of confidence we have that this is the person you re looking for.
    match = str(person.get("@match", ""))
    
    # Whether this person is made up solely from data inferred by statistical analysis from your search query. 
    # You can control inference using the minimum_probability parameter, and inference of persons using the infer_persons parameter.
    inferred = str(person.get("@inferred", ""))
    
    # Person data
    names = person.get("names", [])
    for name in names:
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "name", name.get("display", ""), match, inferred)
    
    emails = person.get("emails", [])
    for email in emails:
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "email address", email.get("address", ""), match, inferred)
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "address_md5", email.get("address_md5", ""), match, inferred)
    
    usernames = person.get("usernames", [])
    for usrname in usernames:
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "username", usrname.get("content", ""), match, inferred)
      
    phones = person.get("phones", [])
    for phone in phones:
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "phone", phone.get("display_international", ""), match, inferred)
      
    gender = person.get("gender")
    if gender:
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "gender", gender.get("content", ""), match, inferred)
    
    dob = person.get("dob")
    if dob:
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "dob", dob.get("display", ""), match, inferred)
    
    addresses = person.get("addresses", [])
    for address in addresses:
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "address", address.get("display", ""), match, inferred)
      
    jobs = person.get("jobs", [])
    for job in jobs:
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "job", job.get("display", ""), match, inferred)
    
    educations = person.get("educations", [])
    for edu in educations:
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "education", edu.get("display", ""), match, inferred)
      
    user_ids = person.get("user_ids", [])
    for usr_id in user_ids:
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "user_id", usr_id.get("content", ""), match, inferred)
      
    images = person.get("images", [])
    for image in images:
      image_url = """<a href='{0}'>{0}</a>""".format(image.get("url", "")) if image.get("url", "") else ""
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "image", image_url, match, inferred)
      
    urls = person.get("urls", [])
    for url in urls:
      url_url = """<a href='{0}'>{0}</a>""".format(url.get("url", "")) if url.get("url", "") else ""
      add_row_to_pipl_datatable(now, artifact.value, possible_person_counter, "url", url_url, match, inferred)
      
  # Save the json result as an Note
  raw_data = results.raw_data if results.raw_data else ""
  counter = possible_person_counter if possible_person_counter > 0 else ""
  rich_text = u"""<h4><b><u>Pipl Data API response for artifact_value {} returned {} {}: </h4></b></u>\n{}""".format(artifact.value, counter, results.pipl_response, raw_data)
  low_text = u"""PIPL: Data API response for artifact_value {} returned {} {}""".format(artifact.value, counter, results.pipl_response)

#  artifact.description = unicode(artifact.description) + "\n " + unicode(noteText)

else:
  low_text = "PIPL: {} not found in Pipl.".format(artifact.value)
  rich_text = low_text
  

# create a workflow propertry with the result or write it in a note
if incident.properties.custom_task_id_look_emails > 1:
  # Creating a workflow property to be used in task utils add note
  workflow.addProperty("task_note", {"rich_text":str(rich_text)})
else:
  incident.addNote(helper.createRichText(rich_text))

# write artifact description
if artifact.description is None:
  artifact.description = unicode(low_text)
else:
  artifact.description = "{} \n {}".format(artifact.description["content"], low_text)


    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message


Related Content