IBM Security QRadar SOAR

 View Only
  • 1.  Confirm Manual Actions

    Posted Fri January 31, 2020 10:03 AM

    Hi Resilient Community,

    Anyone know of a way to present a confirmation to an analyst before performing a manual action? We have a number of menu action items, some of which are escalation buttons. We have seen they can be misclicked by accident. Granted in this situation that's not a huge deal, however if the button was designed to do much more, such as a network block, or a device quarantine, it can have higher ramifications. A confirmation prompt with a tooltip would be useful in these situations.

    Thanks,



    ------------------------------
    Kyle Cisco
    ------------------------------


  • 2.  RE: Confirm Manual Actions

    Posted Mon February 03, 2020 08:48 AM
    How about using Rule Activity Fields? Rule activity fields pop up to the user when executing a Manual Rule.

    1. Create a Rule Activity field.



    This is done on the Manual Rule creation/editing screen:






    Here is my rule with the confirmation field:



    Here is what it looks like when run from the incident:




    By itself, this doesn't do anything except give the analyst another shot at thinking about it.  If you want to actually ensure they typed 'YES', you would have to write a workflow that checks the activity field properties and throws an error using a script with helper.fail(). Unfortunately it is not possible to access the Rule activity fields directly from the rule.

    I didn't check, but there may be a APP on the app exchange that does something like this.

    Ben




    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Confirm Manual Actions

    Posted Mon February 03, 2020 09:01 AM
    Hi Kyle, 

    We had a similar scenario and the way we dealt with it was by creating activity fields that asked the analyst a Yes or No question (Did you confirm that this is the right machine? It's not affecting business or whatnot). Then when the analyst would hit the manual action button they would get a pop up with these questions that they would have to answer before hitting submit. 

    In our code we didn't end up doing anything with the answers to the questions, it was more for the analyst to make sure that they hadn't made a mistake but technically you can have additional controls in place if needed based on their answer. 

    You can find the activity fields underneath the destinations box in a manual rule. You'll have to click the link to show the activity fields, then it's just drag and drop. 

    Hope this helps!
    Adina

    ------------------------------
    Adina Bodkins
    ------------------------------



  • 4.  RE: Confirm Manual Actions

    Posted Mon February 03, 2020 12:47 PM
    Edited by Brenden Glynn Mon February 03, 2020 12:50 PM
    You could also add a HTML Block in the Activity Field section of the Rule, with a description of what you're asking the user to do, in the case confirm that they wish to trigger the action.





    ------------------------------
    Brenden Glynn
    CISSP, GCIH
    Incident Response Business Consultant
    IBM Resilient
    ------------------------------



  • 5.  RE: Confirm Manual Actions

    Posted Tue February 04, 2020 12:41 PM

    All,

    Thanks for the suggestions! I ended up trying the Rule activity fields and created a "confirm Escalation" select field.
    While it does provide a nice popup to have the analyst confirm an action, even if they select "No", the action still executes.

    If there is a way to reference those fields in a script or workflow that would be great! Otherwise, I think Brendon's HTML block solution should suffice.

    Thanks all!

    Kyle



    ------------------------------
    Kyle Cisco
    ------------------------------



  • 6.  RE: Confirm Manual Actions

    Posted Tue February 04, 2020 01:03 PM

    Hi Kyle, 

    I'm not sure if this is the best way to do it, but I'll share how we did it... 

    If you are using an integration/code, you can use the following API call: 

     confirm = self.rest_client().get("/types/actioninvocation/fields/field_api_name")

    Then you can write an if statement based on the value of the variable (in this case confirm): 

    if confirm: 
         #do action
    
    else: 
         #exit 


    I do not know if there is a way to get those fields in the in-product scripting although I would LOVE to know if it was possible. 

    Hope this helps!
    Adina



    ------------------------------
    Adina Bodkins
    ------------------------------



  • 7.  RE: Confirm Manual Actions

    Posted Tue February 04, 2020 02:28 PM
    You can do this with with Manual action activity fields. Here is an example workflow:



    If the condition is not met the workflow runs a script that fails the rule:



    Ben




    ------------------------------
    Ben Lurie
    ------------------------------