IBM Security QRadar SOAR

 View Only
  • 1.  Importing incidents from an Excel workbook

    Posted Thu April 22, 2021 03:54 PM
    Hi everybody,

    We used to manage our incidents with an Excel workbook.  We just switched to Resilient in the cloud and we would like to import the incidents that previously existed in the workbook.  I noticed that the extension "Utility functions for Resilient" contains a function to work with Excel.  Could I use it to import the excel data and create a new Resilient incident for each line read from the worksheet?  Is there a better way?

    Thanks for your advices.


    ------------------------------
    Pierre Dufresne
    ------------------------------


  • 2.  RE: Importing incidents from an Excel workbook

    Posted Tue April 27, 2021 12:06 PM

    Hi Pierre,

    Yes. This capability should be possible, with one consideration. 
    First, I created a xlsx spreadsheet and added it as an attachment to an existing incident. I then create workflow and rule to read the attachment specifying the worksheet and column ranges similar this: "Sheet1"!A1:C2. The results returned was an array with each row returned and columns in column order):

    {
    'titles': ['Sheet1'],
    'sheets': {
       'Sheet1': {
          'A1:C2': [
             [
               'inc1',
               2034,
               'name1'
             ],
             [
               'inc2',
               2035,
               'name2'
             ]
          ],
          '_keys': ['A1:C2']
        },
        '_keys': ['Sheet1']
      }
    }

    Now the only consideration is creating the new incidents. There's no off the shelf function for doing that (fn_incident_utils would be the right package for us to enhance). So that would need to be a custom function you write to perform the mapping of your excel data columns to incident fields.

    Hope this helps.
    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: Importing incidents from an Excel workbook

    Posted Wed April 28, 2021 09:27 AM
    Hi Mark,
    Thanks for your reply.
    I am pretty new with Resilient so I don't think I am ready to write a custom function.
    But, would it be possible to make this work by calling the "Call REST API" function from the fn_utilities and using the "POST /orgs/{org_id}/incidents" method for each line of the Excel range?

    ------------------------------
    Pierre Dufresne
    ------------------------------



  • 4.  RE: Importing incidents from an Excel workbook

    Posted Wed April 28, 2021 11:37 AM
    Using Call Rest API is a possible solution. I would recommend using API keys as the logic is clearer.  Good luck.

    ------------------------------
    Mark Scherfling
    ------------------------------