IBM Security SOAR

Expand all | Collapse all

From an Incident rule, interact with incident fields and artifacts

  • 1.  From an Incident rule, interact with incident fields and artifacts

    Posted Fri September 03, 2021 12:58 PM
    So I'm having some trouble understanding how to accomplish something.

    I have an incident with two custom date fields and two artifacts. I'd like to use the artifacts to interact with an integration. so ideally I can run a rule on the incident, which invokes a incident type workflow. This workflow would spawn four functions using the artifacts and incident fields.

    Suggestions on how to make this happen. See the following flow diagram, and a mockup of the workflow that I'd like to create





    ------------------------------
    Tyler Bennett
    ------------------------------


  • 2.  RE: From an Incident rule, interact with incident fields and artifacts

    Posted Fri September 03, 2021 04:49 PM
    Tyler,

    When I need artifact values in an incident level workflow I use a function to get all of the artifacts on the incident. It's a pretty simple function to make, just an API call to resilient. If you have any questions on how to do this I'd be happy to help.

    Then in the pre-process script for each 'QRadar Add Reference Set Item' you would iterate over the results of the function 'GET Incident Artifacts' for the specific type of artifact you are looking for. Those values would then be used as an input to 'QRadar Add Reference Set Item'. Any data that's needed from the incident fields can be accessed in the pre-process script with either incident.field_name (if the field was built in) or incident.properties.field_name (if the the field was custom).

    Not sure if they were omitted because the workflow was just a mock, but don't forget to use the parallel condition points to run multiple functions / tasks / scripts at once.

    Let me know if any of that isn't clear!


    ------------------------------
    Liam Mahoney
    ------------------------------



  • 3.  RE: From an Incident rule, interact with incident fields and artifacts

    Posted Fri September 03, 2021 05:53 PM
    so you are creating an external function that does this? I was hoping to not have to create an integration.
    If I need to do that I suppose I can make one and deploy it. 

    so create a function that returns the artifacts. call the function via the workflow and then iterate over the artifacts.

    Yep I was gonna use the parallel gateways.

    Do you have any experience using the scheduler? Do you know it it can be utilized to run functions in resilient? My goal is to add the items to a reference set, and then remove them when they expire. Ideally, I'd use the scheduler to create a task, that would call QRadar remove reference set item on incident.properties.policy_end_date

    I can do it via external code, but I'd like to stay inside the resilient platform as much as I can to ensure that my entire team can contribute.

    ------------------------------
    Tyler Bennett
    ------------------------------



  • 4.  RE: From an Incident rule, interact with incident fields and artifacts

    Posted Mon September 06, 2021 09:23 AM
    Edited by Liam Mahoney Mon September 06, 2021 09:24 AM
    Tyler,

    To the best of my knowledge there isn't a way to access all of the incident's artifacts from within a script, so that's why I'd go the route of the external function, but only if all of the artifacts on the incident are needed.

    If you change the workflow's object type to 'Artifact' and the rule that triggers it to 'Artifact' you can then access an artifacts data (value, type, hits, etc.) from the in-product scripts (https://www.ibm.com/docs/en/rsoa-and-rp/40?topic=scripts-artifact-operations). The only caveat is that when you switch to the Artifact Object Type you are then operating on a single artifact at a time instead of all of the artifacts on the incident. Since both of the paths in the mock workflow you provided are similar I think this could work for your use case. You could make a single workflow that does the QRadar add to reference set and then the scheduled rule create. This workflow would then get called for each artifact that satisfies the condition in the rule you create. If the user accounts and email addresses are supposed to end up in different reference sets you can create the logic within the pre-process script to determine the type of the artifact before setting the reference set name input. Apologies for not thinking of this route on my initial response.

    Unfortunately I haven't used the scheduler at all, so I won't be able to help you out with that. Hopefully someone with some experience with it will be able to chime in.

    ------------------------------
    Liam Mahoney
    ------------------------------