IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Intercepting triggered rule name (to track rules execution)

  • 1.  Intercepting triggered rule name (to track rules execution)

    Posted Mon February 01, 2021 03:56 AM
    Hello,
    i had the requirement to intercept the Menu Item Rule "name" that has been triggered, when , on which artifact/object and by who.
    Since such informations are not available (as long as i can see) inside the message sent to circuits via functions, but are actually present in the message sent to the message destinations, i wrote a component, starting from the older "shell_runner" functions. Basically it instantiate a generic handler, triggered by every message in that message queue.

    My use case requires sending an email with the operation (Rule name), the operator who triggered it, the artifact details and some basic incident info. In this way, i can simply put that message destination in every rule that i want to be "tracked" upon execution by doing something (in my case sending an email with the rule name). Below you can find the interesting portion of the circuits component.
    I wanted to share this with the community to know what you think and maybe help someone with the same requirement. Also, you think there is a better way to do achieve this?

    CONFIG_DATA_SECTION = 'event_send_mail'
    
    class FunctionComponent(ResilientComponent):
        """Component that implements sending Email from a message destination"""
        def __init__(self, opts):
            super(FunctionComponent, self).__init__(opts)
            self.options = opts.get(CONFIG_DATA_SECTION, {})
            self.opts = opts
            self.resilient_client=resilient.get_client(opts)
            self.event_email_config_section = self.opts.get(CONFIG_DATA_SECTION, {})
            validate_fields(["smtp_server", "mail_from", "mail_to"], self.event_email_config_section)
    
            self.smtp_server = self.event_email_config_section.get("smtp_server")
    
            self.Mail_From = self.event_email_config_section.get("mail_from")
            self.Mail_To = self.event_email_config_section.get("mail_to")
            self.Mail_Cc = self.event_email_config_section.get("mail_cc")
            self.Mail_Bcc = self.event_email_config_section.get("mail_bcc")
    
            log.info("Mail From: {}, Mail to: {} , Mail CC: {}, Mail Bcc: {}".format(self.Mail_From, self.Mail_To, self.Mail_Cc , self.Mail_Bcc))
            log.debug(self.options)
    
            # Channel name beginning "actions." is a Resilient queue or topic
            # The queue name can be specified in the config file, or default to 'default'
            self.channel = "actions." + self.options.get("queue", "event_send_mail")
    
            self.worker = InterruptibleWorker(process=False, workers=5, channel=self.channel)
            self.worker.register(self)
    
    
        @handler("reload")
        def _reload(self, event, opts):
            """Configuration options have changed, save new values"""
            self.options = opts.get(CONFIG_DATA_SECTION, {})
    
        @handler()
        def _send_email_function(self, event, *args, **kwargs):
            if not isinstance(event, ActionMessage):
                # Some event we are not interested in
                return
            """Function: Send Email"""
            action_name = event.name
            event.message["properties"] = event.message.get("properties") or {}
            event.message["properties"]["_message_headers"] = event.hdr()
            time_exe=event.message["properties"]["_message_headers"]["timestamp"]
            event.message["action_name"] = action_name
            #... [do the rest] ...
    ​


    ------------------------------
    ___________________
    Manuel Marchese
    ------------------------------


  • 2.  RE: Intercepting triggered rule name (to track rules execution)

    Posted Tue February 02, 2021 11:57 AM
    It sounds like you want to call a Function with additional input parameters (object, principal)? Can you explain the use case a bit more where this is useful? Are you creating your own code because the existing functions don't do what you need? Or is it something else?


    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Intercepting triggered rule name (to track rules execution)

    Posted Tue February 02, 2021 12:28 PM
    Edited by Manuel Marchese Tue February 02, 2021 12:29 PM

    My requirement was to trigger an email notification with the name of the analyst that triggered a rule and when.
    Using this method i can read the "action name" that otherwise won't be available to the functions. This component register itself on a queue and listens for all messages in that queue. In that way, sending an action to a message destination, i can grab the "action name" value i need.
    The functions as long as i know, does not receive those values (triggered action name, event timestamp, user principal).

    Another use case would be to create re-usable functions that evaluates the action name value and performs different things basing on the the rule name (or even on the user that triggered the action)

    ------------------------------
    ___________________
    Manuel Marchese
    ------------------------------