IBM Security Resilient

Expand all | Collapse all

Workflow to iterate over all the artifacts in an incident

  • 1.  Workflow to iterate over all the artifacts in an incident

    Posted Mon February 24, 2020 05:20 AM
    Hi all,

    I want to create a playbook in my Resilient platform which can perform the following:

    1- Trigger when an Incident is created
    2- Iterate over all the artifacts of type IP Address/DNS Name in that incident and execute my function which will then post notes to the incident depending upon execution results.

    I have been able to achieve the 1st behavior but I cannot find a way to iterate over all the artifacts of a certain type in an incident.  I have been writing playbooks for other platforms and all of them has some sort of an iterator function which can do so but I have not found anything equivalent in Resilient.

    Can someone please point me towards anything that can help me achieve the above?

    Thanks!

    ------------------------------
    Umair Ahmed
    ------------------------------


  • 2.  RE: Workflow to iterate over all the artifacts in an incident

    Posted Mon February 24, 2020 09:56 AM
    Hey Umair,

    I would take a look at the API endpoint `GET /orgs/{org_id}/incidents/{inc_id}/artifacts`. You'll have to call this endpoint from within a function.

    Let me know if you have any questions!

    ------------------------------
    Liam Mahoney
    ------------------------------



  • 3.  RE: Workflow to iterate over all the artifacts in an incident

    Posted Mon February 24, 2020 12:07 PM
    Oh, I see. So I would have to write a custom function to achieve my playbook logic? All I want to do is already available in my functions. It's just that I want to iterate that process.

    ------------------------------
    Umair Ahmed
    ------------------------------



  • 4.  RE: Workflow to iterate over all the artifacts in an incident

    Posted Tue February 25, 2020 07:02 AM
    Currently the platform does not have the ability to iterate over the incident child relationships with the in-product scripting capabilities. I wonder if it is possible to achieve the goal in a different way? 

    In the example you provided, when the incident is created, that means that the artifacts will have been newly created. It seems you could use an Artifact rule that triggers when an artifact is created to run a workflow/Function on the artifact which then creates the note as appropriate based on the function results.

    Ben




    Ben

    ------------------------------
    Ben Lurie
    ------------------------------