IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Post-Process script to format json result and add to notes

    Posted Wed February 07, 2024 06:03 PM

    I have a function returns a json result.   I want to use a post-process script to write the result to Notes field with parsed format instead of the raw json text.

    This is my existing post process script to write the raw json text to the Notes field.

    Q1
    Is there a way I can parse it human friendly format when add to the note field?  (E.g. field1:xxxx, field2: xxxx)

    Q2
    Can I pick and choose one or more fields to write to the Note?

    ***Post Process output script***

    results = playbook.functions.results.find_host_result
    if results.get("success"):
    incident.addNote("Endpoint.\n{}".format(results.get("content", {})))

    ***Sample output Result ***

    event. {'data': {'total': 1, 'query': {'search': 'computer1'}, 'sort': {}, 'offset': 0, 'limit': 2, 'entries': [{'_id': 'abcd1234', 'agent_version': '10.10.1', 'excluded_from_containment': False, 'containment_missing_software': False, 'containment_queued': False, 'containment_state': 'normal', 'stats': {'acqs': 2, 'malware_cleaned_count': 0, 'malware_quarantined_count': 0, 'alerting_conditions': 0, 'alerts': 0, 'exploit_alerts': 0, 'exploit_blocks': 0, 'malware_alerts': 0, 'generic_alerts': 0, 'false_positive_alerts': 0, 'false_positive_alerts_by_source': {}, 'malware_false_positive_alerts': 0}, 'hostname': 'computer1', 'domain': 'Mydomain', 'ad_domain_comps': 'mydomain, com, net, mycompany', 'ad_org_units': 'MyOU, Servers', 'ad_common_names': 'compputer1', 'gmt_offset_seconds': -28800, 'timezone': 'Pacific Standard Time', 'primary_ip_address': '10.10.10.1', 'last_audit_timestamp': '2024-02-06T22:49:02.675Z', 'last_poll_timestamp': '2024-02-07T04:09:33.000Z', 'last_poll_ip': '10.10.10.1', 'reported_clone': False, 'initial_agent_checkin': '2023-05-31T15:39:07.676Z', 'url': '/hx/api/v3/hosts/abcd1234', 'last_alert': None, 'last_exploit_block': None, 'last_alert_timestamp': None, 'last_exploit_block_timestamp': None, 'sysinfo': {'url': '/hx/api/v3/hosts/abcd1234/sysinfo'}, 'os': {'product_name': 'Windows Server 2022 Datacenter', 'patch_level': None, 'bitness': '64-bit', 'platform': 'win', 'kernel_version': None}, 'primary_mac': '00-01-02-03-02-01'}]}, 'message': 'OK', 'details': [], 'route': '/hx/api/v3/hosts'}



    ------------------------------
    Ray Tam
    ------------------------------


  • 2.  RE: Post-Process script to format json result and add to notes

    Posted Thu February 08, 2024 08:16 AM

    Hi Ray,

    you can put the desired data in key: value form, so for that you need to create regex so that you can remove the unnecessary brackets. 

    here is the example 

    for result in results:
    result = "{" + result + "}"
    jsonres = json.dumps(result)
    dictres = json.loads(jsonres)
    dictres = dictres.replace('["','')
    dictres = dictres.replace('"]','')
    dictres = dictres.replace(';','/')
    dictres = dictres.replace('=','/')
    dictres = dictres.replace("'",'"')
    dictres = json.loads(dictres)


    ------------------------------
    Akash Jaiswal
    ------------------------------

    Original Message


  • 3.  RE: Post-Process script to format json result and add to notes

    Posted Thu February 08, 2024 10:52 AM

    Hi Akash,

    Thanks for the example.   Let me give it a try.   I have some experience with regex but I am very new to Python.
    Hopefully I can make it work.



    ------------------------------
    Ray Tam
    ------------------------------

    Original Message


  • 4.  RE: Post-Process script to format json result and add to notes

    Posted Thu February 08, 2024 04:06 PM

    Hi Ray,

    We have a script on the AppExchange to convert json results into Rich Text for notes. It attempts to render the data in a helpful manager, for instance, rendering URLs as links and well formatted key/value pairs. Have a look at this app: https://exchange.xforce.ibmcloud.com/hub/extension/87743634a7d07fca17ee7696f2e6888a.

    Hope this helps.



    ------------------------------
    Mark Scherfling
    ------------------------------

    Original Message


  • 5.  RE: Post-Process script to format json result and add to notes

    Posted Thu February 08, 2024 05:45 PM

    Hi Mark,

    Thanks for point out the "Covert json results into Rich text.  I will also take a look and see if I can figure out how it works.

    Note: I forgot to mention I am new to the QRadar SOAR. If there are any good resources to learn about Playbook, workflow or some pre-defined scripts.  Please share. 



    ------------------------------
    Ray Tam
    ------------------------------

    Original Message


  • 6.  RE: Post-Process script to format json result and add to notes

    Posted Thu February 08, 2024 06:53 PM

    Just took a look but not sure if I understand how to use it.  I added the "Convert Json to rich text" script after the fn has the output.  It ran without error but it is not written any note to the Incident.   



    ------------------------------
    Ray Tam
    ------------------------------

    Original Message


  • 7.  RE: Post-Process script to format json result and add to notes

    Posted Fri February 09, 2024 09:12 AM

    Hi Ray,

    Please review the documentation associated with this script. There is specific setup needed to place the results into workflow or playbook properties in the correct format for the conversion script. It takes a little additional work to get this setup. But once in place, it's a pattern you can use over and over.

    Hope this helps.

    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------

    Original Message


Related Content