IBM Security QRadar SOAR

 View Only

  • 1.  Attachments

    Posted Thu April 11, 2019 02:11 PM
    Hi All,

    Is there a way to reference an attachment in a 'Note' so that when you click on the note-reference the attachment will launch.
    Use Case:
    • Some investigations result in an incident having many-many attachments.
    • Investigators are making 'Notes' in their incident and reference an attachment by name (e.g. see attachment abcxyz.eml).
    • Others that are reviewing the incident need to then go to a long list of attachments to find the attachment name.
    This feature may exist however it is not obvious to me how to use it.

    ------------------------------
    Thanks
    Paul Formosa
    ------------------------------


  • 2.  RE: Attachments

    Posted Thu April 18, 2019 07:51 AM
    Hi there,

    This issue in being discussed in depth with our team, we currently have a part hacky solution until a more comprehensive approach is supplied:

    We've tried to do this using an in-product Script:
    ```url_to_attachment = """https://192.168.62.3/rest/orgs/201/incidents/{0}/attachments/{1}/contents""".format(incident.id, attachment.id)

    note_text = u"""<a class="data-attachment-url" href="#" data-attachment-url="https://192.168.62.3/rest/orgs/201/incidents/{0}/attachments/{1}/contents">
    {2}</a>""".format(incident.name, attachment.id, attachment.name)

    incident.addNote(helper.createRichText(note_text))```
    But our `IncidentNoteREST` API seems to filter the `data-attachment-url` HTML tag so the hyperlink just ends up being:
    ```<a href="#"> Screen Shot 2019-04-17 at 9.09.15 AM.png</a>```
    Whereas in order for it to work, we need the link to be:
    ```<a class="data-attachment-url" href="#" data-attachment-url="https://192.168.62.3/rest/orgs/201/incidents/2096/attachments/4/contents">
    Screen Shot 2019-04-17 at 9.09.15 AM.png
    </a>```
    From this investigation the answer is we cannot do exactly what you want today. But the team is focused on allowing a SOC analyst to do this without introducing a potential vulnerabilities, it will be logged and added to our backlog to remedy.

    Kind regards,
    Sean O'Gorman


    ------------------------------
    Sean OGorman
    ------------------------------

    Original Message


  • 3.  RE: Attachments

    Posted Thu April 18, 2019 11:42 AM
    Thanks Sean.

    ------------------------------
    PAUL FORMOSA
    ------------------------------

    Original Message


  • 4.  RE: Attachments

    Posted Fri April 19, 2019 06:08 AM
    Edited by Sean OGorman Tue April 23, 2019 06:01 AM


  • 5.  RE: Attachments

    Posted Fri January 31, 2020 10:01 AM
    Edited by Junchen Liu Fri January 31, 2020 10:43 AM
    Thomas Knorr ask me the question today, IMHO the directl attachment link can be archived thought a simple midway http server written in Python

    1) host a python http server, listening the GET request, example of the server
    2) create a http GET link in note e.g http://myserver//rest/orgs/203/incidents/2138/attachments/2/contents

    then user click the link, the download window should pop up
    the stackoverflow example, needs to be changed, it needs to call the Resilent API to get the files
    perhaps config property only listen to request from certain IP (e.g customers Reislient)

    if you really love Resilient-circuits, you can use the rc_webserver module as the http server

    ps: alternatively the http server could just act as a forwarder,
    1) take the GET request from resilient
    2) call the /session  API to get the session token
    3) bind it to a new POST request on the same URL
    see example



    ------------------------------
    Junchen Liu
    ------------------------------

    Original Message