IBM Security QRadar SOAR

 View Only
  • 1.  VirusTotal Function for SOAR - error function in manual task - artifact is not defined

    Posted Tue May 18, 2021 10:36 AM

    Hello,
    I facing problem with VirusTotal function in workflow. If I using manually on artifact, all works fine, but in workflow I get error (name 'artifact' is not defined) message like on screen below. The error occured after I tried mark task as a complete, then next step in workflow is virustotal function.
    Does anyone have an idea, what could be wrong?

    #virustotal


    Regards



    Pre-Process Script

    typeLookup = { 'Email Attachment': 'file', 'Malware Sample': 'file', 'Malware MD5 Hash': 'hash', 'Malware SHA-1 Hash': 'hash', 'Malware SHA-256 Hash': 'hash', 'Other File': 'file', 'RCF 822 Email Message Fife': 'file', 'File Name': 'filename',
     'URL': 'url', 'IP Address': 'ip', 'DNS Name':'domain'}
    if artifact.type in typeLookup:
      inputs.vt_type = typeLookup.get(artifact.type, artifact.type)
    else:
      inputs.vt_type = artifact.type
    
    inputs.incident_id = incident.id
    inputs.artifact_id = artifact.id
    inputs.vt_data = artifact.value​

    Workflow




  • 2.  RE: VirusTotal Function for SOAR - error function in manual task - artifact is not defined

    Posted Wed May 19, 2021 07:11 AM
    What is the Object Type specified for the workflow? And what is the rule configuration that starts the workflow?

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: VirusTotal Function for SOAR - error function in manual task - artifact is not defined

    Posted Wed May 19, 2021 08:20 AM
    Object Type is Incident


    Rule:



  • 4.  RE: VirusTotal Function for SOAR - error function in manual task - artifact is not defined

    Posted Wed May 19, 2021 08:41 AM
    So there won't be an artifact available in the script when the object type is incident. Only the incident object. That is why it works manually on an artifact.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 5.  RE: VirusTotal Function for SOAR - error function in manual task - artifact is not defined

    Posted Wed May 19, 2021 08:56 AM
    Hmmm, but workflow should start after escalated and use first rule based on incident, so how can I use functions working on artifact in workflow? I hope there is no need to creating another rule for every function working in one workflow?


  • 6.  RE: VirusTotal Function for SOAR - error function in manual task - artifact is not defined

    Posted Thu May 20, 2021 06:50 AM
    Currently a workflow only has access to the object that started the workflow and its parent. For example, a workflow started from an Incident only has access to the incident. A workflow started on an Artifact has access to the Incident and the Artifact.

    It sounds like you want to do something with artifacts from a workflow started from an Incident. In that case it would be necessary to build your own Function and either bundle it into an App and deploy to an AppHost or run the Function on an integration server.

    This is definitely a pain point. There is a roadmap item to provide an easy way to get access to all the incident data (tasks, artifacts, notes, etc) from any workflow but that isn't available yet.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------