Hi.

I am looking for documentation on how to use Incident Artifacts in Playbook function scripts.
Specifically, I am trying to use IP address artifacts in an incident with netMiko scripts to add them to a firewall address book.

The goal is use SOAR to update a firewall address book based on QRadar offenses that have been created in SOAR.
I've been able to get the QRadar to SOAR functions working correctly, and SOAR to Firewall communication working as well.

I've been able to find variables like "incident.id" however, there doesn't seem to be much documentation on how to retrieve artifacts so I can use them as variables in the scripts to modify the firewall device.

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

Would you please take a look on this post?
https://community.ibm.com/community/user/security/blogs/sam-wang/2021/12/06/decorate-artifacts-using-soar-functions-in-v43

------------------------------
Leo Kuo
------------------------------

Original Message:
Sent: Tue April 19, 2022 10:40 PM
From: Pumynt Chooboonraj
Subject: Using Artifacts in Playbook Function scripts

Hi.

I am looking for documentation on how to use Incident Artifacts in Playbook function scripts.
Specifically, I am trying to use IP address artifacts in an incident with netMiko scripts to add them to a firewall address book.

The goal is use SOAR to update a firewall address book based on QRadar offenses that have been created in SOAR.
I've been able to get the QRadar to SOAR functions working correctly, and SOAR to Firewall communication working as well.

I've been able to find variables like "incident.id" however, there doesn't seem to be much documentation on how to retrieve artifacts so I can use them as variables in the scripts to modify the firewall device.

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

Hi.

Thank you! That was helpful.
However, while I was able to create an Artifact playbook, how do I get it to look up incident variables, like incident id?
Also, even the script in the Artifact playbook had issues with the inputs.

inputs.netdevice_ids = 'fw'
inputs.netdevice_config_cmd = 'set security zones security-zone untrust address-book address qradar_offense_9990' artifact.value'/32'

I tried using the above as script inputs, basically a static netmiko configuration string with the auto populated artifact value, executing results in syntax errors.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

Original Message:
Sent: Wed April 20, 2022 02:36 AM
From: Leo Kuo
Subject: Using Artifacts in Playbook Function scripts

Would you please take a look on this post?
https://community.ibm.com/community/user/security/blogs/sam-wang/2021/12/06/decorate-artifacts-using-soar-functions-in-v43

------------------------------
Leo Kuo

Original Message:
Sent: Tue April 19, 2022 10:40 PM
From: Pumynt Chooboonraj
Subject: Using Artifacts in Playbook Function scripts

Hi.

I am looking for documentation on how to use Incident Artifacts in Playbook function scripts.
Specifically, I am trying to use IP address artifacts in an incident with netMiko scripts to add them to a firewall address book.

The goal is use SOAR to update a firewall address book based on QRadar offenses that have been created in SOAR.
I've been able to get the QRadar to SOAR functions working correctly, and SOAR to Firewall communication working as well.

I've been able to find variables like "incident.id" however, there doesn't seem to be much documentation on how to retrieve artifacts so I can use them as variables in the scripts to modify the firewall device.

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

Hi!

I realized that I needed to write in Python, so the syntax errors are resolved now.

Thanks!

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

Original Message:
Sent: Wed April 20, 2022 04:30 AM
From: Pumynt Chooboonraj
Subject: Using Artifacts in Playbook Function scripts

Hi.

Thank you! That was helpful.
However, while I was able to create an Artifact playbook, how do I get it to look up incident variables, like incident id?
Also, even the script in the Artifact playbook had issues with the inputs.

inputs.netdevice_ids = 'fw'
inputs.netdevice_config_cmd = 'set security zones security-zone untrust address-book address qradar_offense_9990' artifact.value'/32'

I tried using the above as script inputs, basically a static netmiko configuration string with the auto populated artifact value, executing results in syntax errors.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC

Original Message:
Sent: Wed April 20, 2022 02:36 AM
From: Leo Kuo
Subject: Using Artifacts in Playbook Function scripts

Would you please take a look on this post?
https://community.ibm.com/community/user/security/blogs/sam-wang/2021/12/06/decorate-artifacts-using-soar-functions-in-v43

------------------------------
Leo Kuo

Original Message:
Sent: Tue April 19, 2022 10:40 PM
From: Pumynt Chooboonraj
Subject: Using Artifacts in Playbook Function scripts

Hi.

I am looking for documentation on how to use Incident Artifacts in Playbook function scripts.
Specifically, I am trying to use IP address artifacts in an incident with netMiko scripts to add them to a firewall address book.

The goal is use SOAR to update a firewall address book based on QRadar offenses that have been created in SOAR.
I've been able to get the QRadar to SOAR functions working correctly, and SOAR to Firewall communication working as well.

I've been able to find variables like "incident.id" however, there doesn't seem to be much documentation on how to retrieve artifacts so I can use them as variables in the scripts to modify the firewall device.

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

That's good to hear. 

The artifact script operation can be found here.
https://www.ibm.com/docs/en/sqsp/43?topic=scripts-artifact-operations 

Also this is the official document link of IBM SOAR product. So you may find many useful reference, such as function input script.
https://www.ibm.com/docs/en/sqsp/43?topic=playbook-function-input-script

------------------------------
Leo Kuo
------------------------------

Original Message:
Sent: Wed April 20, 2022 06:52 AM
From: Pumynt Chooboonraj
Subject: Using Artifacts in Playbook Function scripts

Hi!

I realized that I needed to write in Python, so the syntax errors are resolved now.

Thanks!

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC

Original Message:
Sent: Wed April 20, 2022 04:30 AM
From: Pumynt Chooboonraj
Subject: Using Artifacts in Playbook Function scripts

Hi.

Thank you! That was helpful.
However, while I was able to create an Artifact playbook, how do I get it to look up incident variables, like incident id?
Also, even the script in the Artifact playbook had issues with the inputs.

inputs.netdevice_ids = 'fw'
inputs.netdevice_config_cmd = 'set security zones security-zone untrust address-book address qradar_offense_9990' artifact.value'/32'

I tried using the above as script inputs, basically a static netmiko configuration string with the auto populated artifact value, executing results in syntax errors.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC

Original Message:
Sent: Wed April 20, 2022 02:36 AM
From: Leo Kuo
Subject: Using Artifacts in Playbook Function scripts

Would you please take a look on this post?
https://community.ibm.com/community/user/security/blogs/sam-wang/2021/12/06/decorate-artifacts-using-soar-functions-in-v43

------------------------------
Leo Kuo

Original Message:
Sent: Tue April 19, 2022 10:40 PM
From: Pumynt Chooboonraj
Subject: Using Artifacts in Playbook Function scripts

Hi.

I am looking for documentation on how to use Incident Artifacts in Playbook function scripts.
Specifically, I am trying to use IP address artifacts in an incident with netMiko scripts to add them to a firewall address book.

The goal is use SOAR to update a firewall address book based on QRadar offenses that have been created in SOAR.
I've been able to get the QRadar to SOAR functions working correctly, and SOAR to Firewall communication working as well.

I've been able to find variables like "incident.id" however, there doesn't seem to be much documentation on how to retrieve artifacts so I can use them as variables in the scripts to modify the firewall device.

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------