IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Need to capture the specific data from one field to another field

    Posted Tue April 02, 2019 04:22 AM

    I am working on the requirement to remove below information before a creating incident in the service now.

    * "Short Description" is having extra sub strings [ex: INC0011372 - 10 events 0 flows magnitude 3 : Firewall Accept by External Host Watchlistn containing Firewall Permitn].

    I am trying to use the script module of resilient script to divide the string in the two parts separated by the : and capture the second string in the new field i.e. incident.properties.description.

    but it seems split and many other library are missing in the resilient script module.

    Expected output - Firewall Accept by External Host Watchlistn containing Firewall Permitn

    Sample code -

    s = incident.description

    if s is None:

    log.info("No description.")

    elif s.format == "text":

    log.info("Description is text: {}".format(s.content))

    else:

    abc = log.info("{}".format(s.content))

    print abc

    x = abc.split(":", 1)

    print x – just for testing – idea to capture and write using below command.

    incident.properties.incident_description(helper.createRichText("{}".format(x.content)))

    Can you please share if document is available to get more details on the available library and functions.



    ------------------------------
    Abhishek Mahadik
    ------------------------------


  • 2.  RE: Need to capture the specific data from one field to another field

    Posted Tue April 02, 2019 03:10 PM
      |   view attached
    Hello Abhishek,

    The in-product scripting is fairly limited and only certain libraries and functions are available.

    Here are some resources you may find useful:

    Example scripts:
    https://success.resilientsystems.com/hc/en-us/articles/115001805365-In-Product-Script-Examples

    Use Cases:
    https://developer.ibm.com/security/resilient/scripts/

    I have also attached the Playbook Designer Guide which goes into some details of the Scripts as well.

    In response to what you are trying to do, one option would be to use the "re" library which is avaiable in this context.

    See Example below:
    import re
 
# We can use the "re.search" to match the pattern around the ":"
description_pieces = re.search('(\S.+\S)\s*:\s*(\S.+\S)', incident.description.content)
# If it exists
if description_pieces:
  # We can then pull out the individual pieces
  description_1 = description_pieces.group(1)
  description_2 = description_pieces.group(2)
  # Effectively giving you the same results as a string "split"
  log.info("1" + description_1)
  log.info("2" + description_2)
    I hope this helps.

    ------------------------------
    Andrew Wadsworth
    ------------------------------

    Attachment(s)

    pdf
    Resilient IRP Playbook Designer Guide.pdf   2.45 MB 1 version
    Original Message


  • 3.  RE: Need to capture the specific data from one field to another field

    Posted Tue April 02, 2019 11:45 PM
    Thanks a lot.
    I have used below script and working fine for me. 

    import re
    s = incident.description.content
    plain_body = re.compile(r'(<([^>]+)>)', re.IGNORECASE | re.MULTILINE ).sub("\n", s).strip()
    des = re.match('(([\w\s.-]+):([\s\w\.-]+))', plain_body)
    des_incident = des.group(3)
    incident.properties.incident_desc = des_incident
    log.info(des_incident)

    Regards
    Abhishek 



    ------------------------------
    Abhishek Mahadik
    ------------------------------

    Original Message