IBM Security QRadar SOAR

 View Only
  • 1.  Resilient workflows not executing in order specified

    Posted Tue November 17, 2020 01:48 PM
    1. We are trying to integrate information from threat feeds such as Shodan and IBM X-force into Analysis part of an incident.

    2. The API call is made on a custom artifact type. Here, in this case the custom artifact type is "SHA 1 Malware Hash". Now, the artifact value which here is SHA1 hash is getting added into artifacts after the QRadar Ariel query gets successfully executed as the value is getting fetched from QRadar.

    3. Once the value is added to artifact, the API call is being made to the respective threat feed. The issue we are facing here is, before getting the response from API the analysis gets populated by another information. And after the analysis population, the API response is received.

    4. We intend to add the API response into the analysis before the other information gets added. So to conclude, we want to control timely execution of workflows with its sequence and since these workflows are on different data types we cannot create nested workflows with timer function.

    Note: The API response is one of the part of Analysis.

    ------------------------------
    Akhilesh Deshmukh
    Data Analyst, SecurityHQ
    ------------------------------


  • 2.  RE: Resilient workflows not executing in order specified

    Posted Wed November 18, 2020 09:17 AM
    Hello Akhilesh,

    Could you possibly clarify the issue a little bit for me?

    I understand that you have a SHA 1 Malware Hash that is added to Resilient as an Artifact after results from a QRadar Ariel query are received. I also understand that once the Artifact as is added, the system makes an API call to a Custom Threat Feed. What is the "other information" you mention that comes in too early and what is it populating?

    Thank you,
    Brian


    ------------------------------
    Brian Reid
    ------------------------------



  • 3.  RE: Resilient workflows not executing in order specified

    Posted Wed November 18, 2020 09:49 AM
    Do you have a diagram illustrating how the pieces are flowing together and how you would like them to work? Difficult to tell if you already have some Resilient rules, functions, workflows already in place or looking to start something from scratch.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 4.  RE: Resilient workflows not executing in order specified

    Posted Sat November 21, 2020 09:57 AM

    Hi Akhilesh,

    If I understand what you ask for:

    1) Artifact (SHA1) is populated by QRadar Ariel Query
    2) Artifact (SHA1) is automatically looked up for Threat Intelligence
    3) in parallel, enrichment is launched by artifact automation and give other information feed back BEFORE the Threat Intelligence results.
    4) The Threat Intelligence results arrive "too late"

    Your question, how to delay the 3) to be launched after the 4)

    Possibilities:
    A) use the App Function Utilities: Timer. You can make a "wait state" in a workflow for X seconds, minutes, hours, day; for example wait 5 minutes to get all Threat Intelligence back  
    B) launch the 3) only when there is a return from TI (this work only if something match)
    I am using the artifact.hits where you get all results from TI, has a value or contain for a more specific wording.



    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------