IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Script error when setting field value

  • 1.  Script error when setting field value

    Posted Thu January 13, 2022 12:00 AM

    Hello! I'm working on script that parse inbound email and sets custom field with values provided in email. There is task and it's options field that I created myself. It has API Access Name = "approval".

    Script shows an error in line where I set the value of that field via 
    incident.properties.approval = "Одобрено"

    Also tried to comment out lines where I setting fields and at least check if parser works correctly by adding notes, but I'm getting another error)


    Here is full code if needed:

    # -*- coding: utf8 -*-
import re
import datetime
import time

class EmailProcessor(object):
    emailContents = []

    def __init__(self):
        if (emailmessage.body.content is not None):
            self.emailContents.append(emailmessage.body.content)
        if (emailmessage.getBodyHtmlRaw() is not None):
            self.emailContents.append(emailmessage.getBodyHtmlRaw())
        if (len(self.emailContents) == 0):
            log.error("Email message has no contents!")
            
    def addBasicInfoToIncident(self):
        approver = emailmessage.sender.address
        list_approvers = ['approver1@mail.com', 'approver2@mail.com', 'approver3@mail.com']
        method = re.findall(r"(\w+):", self.emailContents[0], re.UNICODE)[0]
        #str(approver) in list_approvers
        if str(approver) in list_approvers:
          if method == "Одобрено":
            #incident.properties.approval = "Одобрено"
            incident.addNote("""Было согласовано {}""".format(approver))
          elif method == "Отклонено":
            #incident.properties.approval = "Отклонено"
            incident.addNote("""Было Отклонено {}""".format(approver))
          else:
            #incident.properties.approval = "Ошибка"
            incident.addNote("""Возникла ошибка {}""".format(approver))
        else:
          #incident.properties.approval = "Попытка изменения другим лицом"
          incident.addNote("""{} пытался изменить данное поле, хоть и не указан в списке ответсвенных лиц""".format(approver))

processor = EmailProcessor()

inc_id = int(re.findall(r"\d+", processor.emailContents[0], re.UNICODE)[0])

query_builder.equals(fields.incident.id, inc_id)
query = query_builder.build()
incidents = helper.findIncidents(query)


if len(incidents) == 0:
    log.info(u"Incident Not Found")
else:
    # A similar incident already exists. Associate the email with this preexisting incident.
    log.info(u"Associating with existing incident {0}".format(incidents[0].id))
    processor.addBasicInfoToIncident()


    ------------------------------
    Magzhan Leskhan
    ------------------------------


  • 2.  RE: Script error when setting field value

    Posted Fri January 14, 2022 09:36 AM
    The data context of an Email parsing script does not have a top-level object called 'incident'. This code finds the incidents you are interested in:

    incidents = helper.findIncidents(query)


if len(incidents) == 0:
    log.info(u"Incident Not Found")
else:
    # A similar incident already exists. Associate the email with this preexisting incident.
    log.info(u"Associating with existing incident {0}".format(incidents[0].id))
    processor.addBasicInfoToIncident()​
    I think you need to pass the incident information as a parameter to the method addBasicInfoToIncident().

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message