IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

Β View Only

  • 1.  Script action won't add tags

    Posted Fri April 17, 2026 05:39 AM

    Hello community,

    I'm trying to add tags to my enriched artifacts within a single script action:

    for alert in alerts:
  ip_artifact = incident.addArtifact('IP Address', alert.get('ip'), 'test artifact')
  ip_artifact.addTags(['ioc'])

    addArtifact function is described as the one returning artifact script object to interact with further down in script so I guess artifact.addTags should apply to it as well. However, unfortunately, it does not - addTags have no result. The artifact is successfully created but without any tags in it. Am I missing something here?



    ------------------------------
    Mykhailo Honcharov
    ------------------------------


  • 2.  RE: Script action won't add tags

    Posted Mon April 20, 2026 01:58 AM
    Hello Mykhailo.
     
    I think you run the script where object type is incident.
     
    I'm afraid that addTags is the method which is related to artifact object.
    In this context, addTags can be used where object type is artifact.
     
    Though it's not elegant, but I think the following is one of ways: 
    (substitute the hard-coded parts for your fits.)
     
    1. create a custom field like a artifact_tag with json type.
    2. create a script with the condition that object type is incident
     
    ex. 
     
    ---
    import json
     
    # tags are temporarily stored in incident custom field 
    artifact_tags = ['ioc1','ioc2']
    incident.properties.artifact_tags = json.dumps(artifact_tags) 
     
    # add artifact to the incident
    incident.addArtifact('IP Address', '1.2.3.4', 'test ip')
    ---
     
    3. create a script with the condition that object type is artifact'
     
    ex 
     
    ---
    import json
    tags = json.loads(incident.properties.artifact_tags) # loads tags data from incident custom field
    artifact.addTags(tags) # add tags
    ---
     
    4. create a rule to run the script created in 3 with
          - object type is artifact
          - artifact is created
     
    Then invoke the script created in 2. 
     
    Then by creating an artifact in 2. script, script 3. is subsequently invoked.  
     


    ------------------------------
    Yohji Amano
    ------------------------------

    Original Message


  • 3.  RE: Script action won't add tags

    Posted Mon April 20, 2026 05:31 PM

    Indeed my trigger is set to Incident Automatic but that should not be an issue as the documentation clearly states that incident.addArtifact:

    Adds an artifact to the incident with the provided type, value, and description. Returns an artifact script object for further customization.

    So I'm not entirely sure why can't I just run artifact.addTags on artifact returned by incident.addArtifact. And yet again I stumble upon the thing with IBM QRadar SOAR that there is still so much hustle to perform a simple operation that should be or even documented to be possible with a quite low effort. Odd...



    ------------------------------
    Mykhailo Honcharov
    ------------------------------

    Original Message


  • 4.  RE: Script action won't add tags

    Posted Tue April 21, 2026 03:55 AM

    By reading through the description of addArtifact on https://github.com/ibmresilient/resilient-scripts/blob/master/python3/incident/README.md, I understand that you have the reasons to feel so. 



    ------------------------------
    Yohji Amano
    ------------------------------

    Original Message


  • 5.  RE: Script action won't add tags

    Posted Mon April 20, 2026 05:35 PM

    And btw don't get the wrong feeling here, even though I wished it worked the way it says it should I very much appreciate your insight into my issue

    Thank you 😁



    ------------------------------
    Mykhailo Honcharov
    ------------------------------

    Original Message


  • 6.  RE: Script action won't add tags

    Posted Wed April 22, 2026 06:48 AM

    Hi Mykhailo,

    I'm afraid its not possible to modify an artifact object from within a script in the incident object scope. The text you quote is definitely open to this interpretation so I'll ask dev to see can make this clear in future.



    ------------------------------
    Martin Feeney
    Product Manager, IBM Security QRadar SOAR
    martin.feeney@ie.ibm.com
    ------------------------------

    Original Message


Related Content