IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Send Artifacts via Outbound Email

  • 1.  Send Artifacts via Outbound Email

    Posted Fri September 03, 2021 08:51 AM
    Hi Team,

    We are trying to send artifacts scan data(threat score etc ) via fn_email_outbound. We need to fetch Source and destination IP and their reputation from artifacts and send as Outbound email text to networking team.  we are using the following extension IBM Security App Exchange - Outbound Email for SOAR
    Ibmcloud remove preview
    IBM Security App Exchange - Outbound Email for SOAR
    IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers
    View this on Ibmcloud >

       
    The current flow is based on Incident and we cannot directly call the artifact. 

    If you have any idea that how can we send the artifacts scan result(X-force) to the respective team via outbound email text. do let us know.

    Regards,
    Asad Aftab

    ------------------------------
    Asad Aftab
    ------------------------------


  • 2.  RE: Send Artifacts via Outbound Email

    Posted Fri September 03, 2021 05:19 PM
    Edited by Liam Mahoney Fri September 03, 2021 05:19 PM

    Asad,

    I would recommend creating a function to get all of the artifacts on an incident. This function would use the Resilient API, specifically the GET /orgs/{org_id}/incidents/{inc_id}/artifacts endpoint (it's possible this function already exists on the community, I'm not sure).

    This endpoint will return a list of dictionaries where each dictionary is an artifact on the incident. Within each artifact's dictionary will be a hits key. Here's an example with most of the other artifact data removed:

    {
    ...
    "hits": [
          {
            "value": "https://exmaple.com",
            "threat_source_id": 122,
            "artifact_type_id": 3,
            "properties": {
              "Analysis Start Time": "2021-09-03T19:53:45+00:00",
              "Full Report": "https://sandbox-analysis.com/urls/573e2bc054fd1dea202989be35b18abc5e64ef38d18a3dca13e71c2f57882d93",
              "Threat Score": "72",
              "Verdict": "malicious"
            },
            "active": true
          }
        ],
    ...
    }


    If you pass in the query parameter handle_format=objects with your API request, you'll get the CTS name along with the ID. This would also be helpful for the key type, which will contain the ID of the artifact type and the name of the artifact type (URL, DNS Name, etc.).

    Once this function is created I would call it in the workflow before you call the outbound email function. Within the pre-process script of the outbound email function you could iterate over the results of the first function, look for any applicable artifact types, and then look for the scan data you want included in the email (threat score, etc.). You could then use that data as the input to the outbound email function.

    Best of luck!



    ------------------------------
    Liam Mahoney
    ------------------------------



  • 3.  RE: Send Artifacts via Outbound Email

    Posted Mon September 06, 2021 11:53 AM
    hello liam,

    hope you are doing fine. Kindly tell me about how to creating a function to get all of the artifacts on an incident. like you said that use restAPI so kindly can you tell us a little more description and where to add that function in Resilient.

    Regards
    Asad Aftab


    ------------------------------
    Asad Aftab
    ------------------------------



  • 4.  RE: Send Artifacts via Outbound Email

    Posted Mon September 06, 2021 12:03 PM
    Asad,

    I think the App Developer's Guide documentation will explain it better than I can. If you have any questions I'd be happy to try and answer them.

    Once you start developing the function I'd take a look at the way this function uses self.rest_client to make requests to the IBM SOAR API. There is a helper object provided with the output of the codegen that makes interacting with the IBM SOAR API very easy from within a function.

    Let us know if you run into any problems

    ------------------------------
    Liam Mahoney
    ------------------------------



  • 5.  RE: Send Artifacts via Outbound Email