Original Message:
Sent: Thu October 12, 2023 07:51 AM
From: Boon Chang Tan
Subject: QRadar Custom Action Script
Hi Paul,
What kind of alerts does "Notify rule response" gives? Will it have a pop-up like system notifications?
It will only appear in the Offenses tab right?
Best regards,
Tan Boon Chang
------------------------------
Boon Chang Tan
Original Message:
Sent: Thu October 12, 2023 07:13 AM
From: Paul Ford-Hutchinson
Subject: QRadar Custom Action Script
The best way to do that would be to use the "Notify" Rule Response - not the "Execute Custom Action" at all
Paul
------------------------------
Paul Ford-Hutchinson
Original Message:
Sent: Thu October 12, 2023 03:50 AM
From: Boon Chang Tan
Subject: QRadar Custom Action Script
Hi Paul,
Thank you for the reference discussion. The .txt file is now able to be seen. It seems to be recording the UTC time of when it is executed.
How do I make it such that it executes a notification to alert users of QRadar?
Best regards,
Tan Boon Chang
------------------------------
Boon Chang Tan
Original Message:
Sent: Tue October 10, 2023 03:17 AM
From: Paul Ford-Hutchinson
Subject: QRadar Custom Action Script
Please review this discussion ... https://community.ibm.com/community/user/security/discussion/custom-action-account-customactionuser#bm3a6626a5-738a-4c3d-b13d-018adbac5f1b
------------------------------
Paul Ford-Hutchinson
Original Message:
Sent: Mon October 09, 2023 11:57 PM
From: Boon Chang Tan
Subject: QRadar Custom Action Script
Hi Paul,
I have implemented a script which is exactly as the one you posted.
I am getting the message "Text written to /home/customactionuser/test.txt". However, I could not seem to find this test.txt in /home/customactionuser/.
Refer to attached screenshot. Perhaps there is something I am missing out.
Best regards,
Tan Boon Chang
------------------------------
Boon Chang Tan
Original Message:
Sent: Mon October 09, 2023 06:05 AM
From: Paul Ford-Hutchinson
Subject: QRadar Custom Action Script
Does your script look like this (it should):
#!/bin/bashdatetime="$(date)"echo " Custom Action Script Test Time: $datetime" >> /home/customactionuser/test.txtecho "Text written to /home/customactionuser/test.txt"
Because that page looks bit confusing to me.
Also, for BASH, the file endings on the file must be UNIX (LF only) and not Windows (CR/LF)
------------------------------
Paul Ford-Hutchinson
Original Message:
Sent: Mon October 09, 2023 05:18 AM
From: Boon Chang Tan
Subject: QRadar Custom Action Script
Hi Karl,
Executed, and it says "Execution Successful". However, the test.txt does not appear in the directory.
Best regards,
Tan Boon Chang
------------------------------
Boon Chang Tan
Original Message:
Sent: Mon October 09, 2023 05:05 AM
From: Karl Jaeger
Subject: QRadar Custom Action Script
Tan
if test.txt does not show up the test script didn't execute correctly I guess.
what about testing the script via Admin tab ? Did you execute this step ? Results?
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
Original Message:
Sent: Sun October 08, 2023 10:24 AM
From: Boon Chang Tan
Subject: QRadar Custom Action Script
Hi,
I followed the steps in this tutorial: https://www.ibm.com/support/pages/qradar-custom-action-script-testing-scripts
Adding the test script in Admin, adding a rule to trigger the action, and trigger that rule.
Somehow, the test.txt is not appearing as expected.
Wish to have some advice/help.
Best regards,
Tan Boon Chang
------------------------------
Boon Chang Tan
------------------------------