IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Tips and Tricks

    Posted Fri October 12, 2018 02:12 PM
    Useful things you've come across while using Resilient.
    It can pertain to: 
    • Implementation
    • Integrations
    • Reporting
    • Workflows and functions
    • And anything else you can think of

    Thanks for sharing.

    ------------------------------
    Connor Costello - Resilient
    ------------------------------


  • 2.  RE: Tips and Tricks

    Posted Tue October 16, 2018 04:50 AM
    Edited by Connor Costello Mon January 28, 2019 09:15 AM
    Here is code to add a RichText Note to an Incident:
    color = "#45bc27"

if (results.analysis_status != "clean"):
  color = "#ff402b"
  
noteText = """<br>Analysis <b>{0}</b> has complete
              <b>Report URL:</b> <a href='{1}'>{1}</a>
              <b>Detection Status:</b> <b style="color: {2}">{3}</b>""".format(results.analysis_report_name, results.analysis_report_url, color,results.analysis_status)

incident.addNote(helper.createRichText(noteText))
    *This will also work for a Task

    ------------------------------
    Shane Curtin
    Integrations Engineer - IBM Resilient
    ------------------------------

    Original Message


  • 3.  RE: Tips and Tricks

    Posted Tue October 16, 2018 09:12 AM
    When building Functions, depending on which version of the Resilient Platform you are using, you may need to compose different logic to achieve the results you desire. One of the improvements in version 31 is a change in how we handle dictionary data structures. From this version onward you may iterate and access a dictionary's attributes using either the .keys() or .items() functions 
    Example:
    # Getting a handle on key using .keys() then accessing value using the key
if results.artifacts != None:
  for artifact_type in results.artifacts.keys()
    incident.addArtifact(artifact_type, result.artifacts[artifact_type], 'Artifact created using .keys() function')


# Getting a handle on both key and value with .items()
if results.artifacts != None:
  for artifact_type, artifact_value in results.artifacts.items()
    incident.addArtifact(artifact_type, artifact_value, 'Artifact created using .items() function')


    However, if you are using any previous version, you will need to change your approach to this problem. One way to get similar functionality is to break up a dictionary into 2 lists. One for the keys and one for the values. You can then get a handle on 1 key and 1 value in parallel using zip().

    Example: 

    # This is functionally similar to the two examples above, whereby we get a handle on a key from 1 list and the value from another
if results.artifact_keys_as_list and results.artifact_values_as_list:
  for artifact_type, artifact_value in zip(results.artifact_keys_as_list,results.artifact_values_as_list):
    incident.addArtifact(artifact_type, artifact_value, 'Gotten a handle on the key and the value simultaniously using zip()')


    ------------------------------
    Ryan Gordon
    ------------------------------

    Original Message