IBM Security QRadar SOAR

Ibmcloud		remove preview
IBM Security App Exchange - Outbound Email for SOAR IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers View this on Ibmcloud >

   
The current flow is based on Incident and we cannot directly call the artifact. 

If you have any idea that how can we send the artifacts scan result(X-force) to the respective team via outbound email text. do let us know.

Asad,

I would recommend creating a function to get all of the artifacts on an incident. This function would use the Resilient API, specifically the GET /orgs/{org_id}/incidents/{inc_id}/artifacts endpoint (it's possible this function already exists on the community, I'm not sure).

This endpoint will return a list of dictionaries where each dictionary is an artifact on the incident. Within each artifact's dictionary will be a hits key. Here's an example with most of the other artifact data removed:

{..."hits": [      {        "value": "https://exmaple.com",        "threat_source_id": 122,        "artifact_type_id": 3,        "properties": {          "Analysis Start Time": "2021-09-03T19:53:45+00:00",          "Full Report": "https://sandbox-analysis.com/urls/573e2bc054fd1dea202989be35b18abc5e64ef38d18a3dca13e71c2f57882d93",          "Threat Score": "72",          "Verdict": "malicious"        },        "active": true      }    ],...}

If you pass in the query parameter handle_format=objects with your API request, you'll get the CTS name along with the ID. This would also be helpful for the key type, which will contain the ID of the artifact type and the name of the artifact type (URL, DNS Name, etc.).

Once this function is created I would call it in the workflow before you call the outbound email function. Within the pre-process script of the outbound email function you could iterate over the results of the first function, look for any applicable artifact types, and then look for the scan data you want included in the email (threat score, etc.). You could then use that data as the input to the outbound email function.

Best of luck!

Ibmcloud		remove preview
IBM Security App Exchange - Outbound Email for SOAR IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers View this on Ibmcloud >

   
The current flow is based on Incident and we cannot directly call the artifact. 

If you have any idea that how can we send the artifacts scan result(X-force) to the respective team via outbound email text. do let us know.

Asad,

I would recommend creating a function to get all of the artifacts on an incident. This function would use the Resilient API, specifically the GET /orgs/{org_id}/incidents/{inc_id}/artifacts endpoint (it's possible this function already exists on the community, I'm not sure).

This endpoint will return a list of dictionaries where each dictionary is an artifact on the incident. Within each artifact's dictionary will be a hits key. Here's an example with most of the other artifact data removed:

{..."hits": [      {        "value": "https://exmaple.com",        "threat_source_id": 122,        "artifact_type_id": 3,        "properties": {          "Analysis Start Time": "2021-09-03T19:53:45+00:00",          "Full Report": "https://sandbox-analysis.com/urls/573e2bc054fd1dea202989be35b18abc5e64ef38d18a3dca13e71c2f57882d93",          "Threat Score": "72",          "Verdict": "malicious"        },        "active": true      }    ],...}

If you pass in the query parameter handle_format=objects with your API request, you'll get the CTS name along with the ID. This would also be helpful for the key type, which will contain the ID of the artifact type and the name of the artifact type (URL, DNS Name, etc.).

Once this function is created I would call it in the workflow before you call the outbound email function. Within the pre-process script of the outbound email function you could iterate over the results of the first function, look for any applicable artifact types, and then look for the scan data you want included in the email (threat score, etc.). You could then use that data as the input to the outbound email function.

Best of luck!

Ibmcloud		remove preview
IBM Security App Exchange - Outbound Email for SOAR IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers View this on Ibmcloud >

   
The current flow is based on Incident and we cannot directly call the artifact. 

If you have any idea that how can we send the artifacts scan result(X-force) to the respective team via outbound email text. do let us know.