IBM Security QRadar SOAR

 View Only

  • 1.  Artifact bulk upload

    Posted Thu October 29, 2020 04:31 AM
    Hi,

    We wish to upload multiple(sometimes almost a hundred) artifacts for incidents and this procedure is very painful manually.
    Is there any way to bulk upload for every artifact types?

    Thank you.

    ------------------------------
    Adam
    ------------------------------


  • 2.  RE: Artifact bulk upload

    Posted Thu October 29, 2020 11:32 AM
    Are these things that could be represented in a CSV file format?

    If so, it would be possible to do this using:

    1) A menu item rule with an input field. It would be a text field where the user could paste the CSV data.




    2) Write an in product script in Python that would parse the CSV data and create artifacts using the incident.createArtifact() method.

    There may be existing Apps on the app exchange https://exchange.xforce.ibmcloud.com/hub?br=Resilient.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 3.  RE: Artifact bulk upload

    Posted Thu October 29, 2020 01:05 PM
    Also, some built in artifact and custom artifacts allow to enter multiple values at one time:



    Enter:



    Ends up as:


    Ben


    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 4.  RE: Artifact bulk upload

    Posted Wed November 04, 2020 01:24 AM
    Hi Ben,

    Yes, some artifact types are allowing to upload multiple at the same time but email addresses and hashes are not.

    1) Can you please show me what input field are you referring to because I did not find any input field in the Menu item rule?

    2) Where should we write this and how can we use it afterward?

    Unfortunately, there are no existing Apps on the app exchange.

    ------------------------------
    Adam
    ------------------------------

    Original Message


  • 5.  RE: Artifact bulk upload

    Posted Wed November 04, 2020 03:07 AM

    Maybe you can try this app. https://exchange.xforce.ibmcloud.com/hub/extension/084ca100cda892ea3b2d8b8e805740e6

    IOCparser can parse "IP", "uri", "md5", "sha1", "sha256", "CVE", "email" or "file" according to https://pypi.org/project/iocparser/



    ------------------------------
    Leo Kuo
    ------------------------------

    Original Message


  • 6.  RE: Artifact bulk upload

    Posted Wed November 04, 2020 10:41 AM
    I just did a very simple example here.

    1) Create a menu item rule that allows the user to enter multiple artifact IOCs. This is an example for email but really could be extended to any IOC.


    The activity field (CSV format for Artifact Data) is just a text area:


    Then create a script that uses this information:

    Then update the Rule to run the script:


    When the user runs this rule from the incident they get a popup like this where they can enter the data:


    Which then adds the new artifacts to the incident.

    Obviously this is a very simple example, but could be extended to address other use cases.

    Ben


    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 7.  RE: Artifact bulk upload

    Posted Tue November 10, 2020 02:26 PM
    Hi, Adam - We have 2 Artifact Bulk Upload options available here.  The first is a 'self service' feature, where the user defines the required Artifacts as Type,Value,Description triples (although Description is optional - a program-generated description will be created if the user omits this), in a csv file and uploads this as an Attachment.  A Rule makes an Action available to 'Bulk Upload Artifacts' from the Attachment.  We recommend users keep this to about 50 rows at a time and the code limits it to 100, as Circuits processing is held up while the Bulk Upload takes place.  Artifacts can be any supported type and for IP address, the code handles IP Address:Source, IP Address:Destination and IP Address:Both variants.  When processing completes, a summary Note is added to the Incident, with full details of any errors.  If all rows were successfully translated into Artifacts, the uploaded Attachment is deleted, though this feature could be omitted - our users felt it was preferable to allowing a repeated upload of the same data.  A variation - no longer active but present in the code - is to rename the Attachment with the prefix '__uploaded' and then have the Artifact Rule exclude such files from the Bulk Upload action.

    The second option - used for BU of > 50 items at a time - repurposes the above code as a standalone Python program, again fed with a csv file though not as an Attachment and (of course) using the Resilient API to create Artifacts and add a Note on completion.  This is not a self-service program but can accommodate much larger uploads - the maximum so far being in the thousands, which was email address at risk in a big phishing incident.

    If either or both of these approaches are of interest I am very willing to share code and support you in using it.  I'm uploading a sample of the csv so you can see the format and an extract of the Circuits code FYI.

    Please let me know if you'd like anything else.

    Best regards - Edwin

    ------------------------------
    Edwin Bolton
    ------------------------------

    Attachment(s)

    py
    circuits_artifact_sample.py   12 KB 1 version
    csv
    ArtefactsTest.csv   304 B 1 version
    Original Message