IBM Security QRadar SOAR

 View Only

  • 1.  Preferred way of updating incident notes and attachments

    Posted Tue February 18, 2020 10:02 AM

    Hi All,

    I have a function which adds some attachments (JPEG and TXT files available as Base64 data from an external API) and also adds some notes in the incident. Which of the following technique should I follow to achieve this:

    1- Add Attachments in the function code and update the notes in Post-Process script.
    2- Add Attachments and update the notes both in function code.

    The reason for my confusion is that IBM Resilient recommends that functions should be modular and everything related to updating incidents should be done in the post-process script, while on the other way it makes sense for me to be consistent and update both the notes and attachments in my function code only and do nothing in post-process scripts.

    Please help me choose the best and consistent practice to achieve my objective.

    Thanks!



    ------------------------------
    Umair Ahmed
    ------------------------------


  • 2.  RE: Preferred way of updating incident notes and attachments

    IBM Champion
    Posted Wed February 19, 2020 10:52 AM
    Umair,

    Both ways would achieve what you want, so it's really going to come down to a matter of preference. Personally, I would lean towards moving forward with option 1.

    You described two functionalities:
    A) adding attachments to the incident
    B) posting notes about the attachments that were added to the incident

    Option 1 allows the two functionalities to be separated. It may be possible that in the future you want to post the attachments without having to post the notes about those attachments. Whatever data you want to post to the notes can be returned from the function so it should be consistent with what you were going to post from within the function.

    It's entirely possible that you'll always want to post the notes after posting the attachments, in which case option 2 would work just as well.

    One of my co-workers reminds me to keep things as reusable as possible. I have seen the benefit of this already within Resilient and I am able to quickly put together workflows with modular functions and scripts, rather than having to create customized functions/scripts for each workflow.

    Sorry this isn't a straightforward answer, but it's going to come down to your preferences and what you think will best fit your Resilient environment.

    Best of luck!

    ------------------------------
    Liam Mahoney
    ------------------------------

    Original Message


  • 3.  RE: Preferred way of updating incident notes and attachments

    Posted Mon February 24, 2020 02:56 PM
    It is best if you keep Functions resilient independent. Think of a Function just like a standard programming function, it has inputs and outputs. If you keep those specific to the function you'll be able to reuse the Function more easily in different contexts. The pre-process and post-process capabilities of a workflow allow you to add Resilient specific logic and capabilities.

    There may be some things that you want to do that you can't in the in-product scripting. For those cases you could either post to a message destination or use a Function that does Resilient specific capabilities.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message