IBM Security QRadar SOAR

 View Only
  • 1.  Question around Workflow/Rule Creation

    Posted Mon January 11, 2021 11:57 AM
    We have come across a use case where we need to execute a workflow to add enrichment data back to our incidents.

    Our desired end state is:
    If custom_inc_field changes and contains value:
     run workflow on all artifacts of user_account type.

    The issue we are running in to, seems to stem from the object type binding of the rules/workflows. The rule would need to be an incident object type, and there is no apparent way to access artifact values from a subsequent workflow with object_type=incident.

    Is there a way to get the artifact values via preprocessing scripts or alternative method?

    ------------------------------
    Frank Lacey
    ------------------------------


  • 2.  RE: Question around Workflow/Rule Creation

    Posted Tue January 12, 2021 08:56 AM
    Unfortunately there is no built in way of doing this. A custom Function would need to be build and hosted on an integration server or packaged into an App and run on AppHost.

    We are looking at being able to do something like this in the product directly. Once you have the list of artifacts of user_account type what would the workflow do with them? Would you be running a script? Or passing the information to a Function?

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Question around Workflow/Rule Creation

    Posted Tue January 12, 2021 09:13 AM
    Ben,

    Thanks for the reply. This particular use case would funnel the artifacts into the ldap search function for retrieving additional data around a particular users' identity. However, I think we could potentially have similar uses cases in the future.

    Thanks,
    Frank

    ------------------------------
    Frank Lacey
    ------------------------------