IBM Security QRadar SOAR

 View Only

  • 1.  Create a CSV and attach to an incident

    Posted Wed May 01, 2019 10:43 AM
    Hi,

    Is it possible to create a CSV file and add it to the incident, trhough the post-process script of any function ?

    Thanks.

    ------------------------------
    Clément Fouque
    ------------------------------


  • 2.  RE: Create a CSV and attach to an incident

    Posted Wed May 01, 2019 02:04 PM
    Hi Clément,

    While you can't do it in the post-process script it's definitely possible in your function. In your Python code you could write the desired content in to a CSV file https://docs.python.org/2/library/csv.html and then upload it as Incident attachment using Resilient API. This post might be useful https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=1e0a3da3-f5e3-496f-8e9a-e37ebd985711&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bm1e0a3da3-f5e3-496f-8e9a-e37ebd985711

    Let us know if you need any additional information.

    Tamara

    ------------------------------
    Tamara Zlender
    ------------------------------

    Original Message


  • 3.  RE: Create a CSV and attach to an incident

    Posted Tue February 18, 2020 09:57 AM
    Edited by Umair Ahmed Tue February 18, 2020 10:03 AM

    Hi,

    Is it preferred to add attachments in the function code. As far as I get, the results of a function execution should ideally be added to the incident in the post-process script.  

    Actually I am in a similar position, I have a function which adds some attachments (JPEG and TXT files available as Base64 data from an external API) and also adds some notes in the incident. Which of the following technique should I follow to achieve this:

    1- Add Attachments in the function code and update the notes in Post-Process script.
    2- Add Attachments and update the notes both in function code.

    The reason for my confusion is that IBM Resilient recommends that functions should be modular and everything related to updating incidents should be done in the post-process script, while on the other way it makes sense for me to be consistent and update both the notes and attachments in my function code only and do nothing in post-process scripts.

    Please help me choose the best and consistent practice to achieve my objective.

    Thanks!

    ------------------------------
    Umair Ahmed
    ------------------------------


    Original Message


  • 4.  RE: Create a CSV and attach to an incident

    Posted Fri May 10, 2019 03:13 PM
    You can use python (i prefer) or any other server-side script to do this task and then you can attach it to the incident.

    ------------------------------
    Afflospark .com
    ------------------------------

    Original Message


  • 5.  RE: Create a CSV and attach to an incident

    Posted Fri May 24, 2019 02:35 AM
    Thank you both. I wanted to avoid going through a custom component but it seems to be the only solution so far.

    ------------------------------
    Clément Fouque
    ------------------------------

    Original Message