IBM Security QRadar SOAR

Hello,

I am working on some automation to automatically populate artifacts based on content found the description of the Resilient incident. I am looking for help on understanding if there is a way to run an API call on my script to check the value of existing artifacts before I add an artifact? I want to prevent artifacts being added if that value of artifact already exists (Not the artifact name or description but the value). 

Basically, is there a way for me to make a function call to grab, what I assume is a list/tuple, whatever current artifacts are in the case that the script is running against?

Thanks.

------------------------------
Austin Thomas
------------------------------

Hi Austin,

So in the in-product scripting editor, there is currently no way to do this. There is an RFE open on this point however, so please feel free to upvote it to see it in Resilient sooner: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-194

If you're talking about making a call from the implementation code of a function, then there is an incident artifact REST endpoint that you should be able to use for that. See usage details in the interactive REST API: http://<your-server>/docs/rest-api/ui/index.html#/IncidentArtifactREST

Hope this helps.
Paul.

------------------------------
PAUL CURRAN
------------------------------

Original Message:
Sent: 02-18-2019 04:12 PM
From: Austin Thomas
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hello,

I am working on some automation to automatically populate artifacts based on content found the description of the Resilient incident. I am looking for help on understanding if there is a way to run an API call on my script to check the value of existing artifacts before I add an artifact? I want to prevent artifacts being added if that value of artifact already exists (Not the artifact name or description but the value). 

Basically, is there a way for me to make a function call to grab, what I assume is a list/tuple, whatever current artifacts are in the case that the script is running against?

Thanks.

------------------------------
Austin Thomas
------------------------------

Thank you Paul. This is unfortunate to hear. I will vote for the RFE.

------------------------------
Austin Thomas
------------------------------

Original Message:
Sent: 02-26-2019 09:02 AM
From: PAUL CURRAN
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hi Austin,

So in the in-product scripting editor, there is currently no way to do this. There is an RFE open on this point however, so please feel free to upvote it to see it in Resilient sooner: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-194

If you're talking about making a call from the implementation code of a function, then there is an incident artifact REST endpoint that you should be able to use for that. See usage details in the interactive REST API: http://<your-server>/docs/rest-api/ui/index.html#/IncidentArtifactREST

Hope this helps.
Paul.

------------------------------
PAUL CURRAN

Original Message:
Sent: 02-18-2019 04:12 PM
From: Austin Thomas
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hello,

I am working on some automation to automatically populate artifacts based on content found the description of the Resilient incident. I am looking for help on understanding if there is a way to run an API call on my script to check the value of existing artifacts before I add an artifact? I want to prevent artifacts being added if that value of artifact already exists (Not the artifact name or description but the value). 

Basically, is there a way for me to make a function call to grab, what I assume is a list/tuple, whatever current artifacts are in the case that the script is running against?

Thanks.

------------------------------
Austin Thomas
------------------------------

Hi there, 

We are currently wondering the same thing, is there a way to make sure that you're not duplicating artifacts before you add them.  Has there been any updates with regards to this feature? Or any workarounds that will work from within the in-product scripting? 

Thanks, 

Adina 

------------------------------
Adina Bodkins
------------------------------

Original Message:
Sent: Tue February 26, 2019 10:01 AM
From: Austin Thomas
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Thank you Paul. This is unfortunate to hear. I will vote for the RFE.

------------------------------
Austin Thomas

Original Message:
Sent: 02-26-2019 09:02 AM
From: PAUL CURRAN
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hi Austin,

So in the in-product scripting editor, there is currently no way to do this. There is an RFE open on this point however, so please feel free to upvote it to see it in Resilient sooner: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-194

If you're talking about making a call from the implementation code of a function, then there is an incident artifact REST endpoint that you should be able to use for that. See usage details in the interactive REST API: http://<your-server>/docs/rest-api/ui/index.html#/IncidentArtifactREST

Hope this helps.
Paul.

------------------------------
PAUL CURRAN

Original Message:
Sent: 02-18-2019 04:12 PM
From: Austin Thomas
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hello,

I am working on some automation to automatically populate artifacts based on content found the description of the Resilient incident. I am looking for help on understanding if there is a way to run an API call on my script to check the value of existing artifacts before I add an artifact? I want to prevent artifacts being added if that value of artifact already exists (Not the artifact name or description but the value). 

Basically, is there a way for me to make a function call to grab, what I assume is a list/tuple, whatever current artifacts are in the case that the script is running against?

Thanks.

------------------------------
Austin Thomas
------------------------------

Hello Adina,

I have worked an artifact deduplicating fonction using the fn-utilities RestAPI function.
It is not complete/exact as it just looks at artifact type and artifact value, and NO other artifact properties like source/destination of IP's or others like Value Name/Value Data on Registry Keys.

You can try it "as it is" in pre-production and update it for more controls before production.


Res file build by:
# Deduplicate Artifact
Needs API key (See all functions in workflow, pre-process scripts. You can use the same API Key)
Needs the update of Resilient URL & Org in the API call in the preprocess of each function in the Workflow
Needs Apps : fn_utilities,
resilient-circuits extract \
--workflow "deduplicate_artifact" \
--rule "Deduplicate Artifact" \
-o config_deduplicate_artifacts.res --zip --exportfile export.res

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Mon December 02, 2019 03:42 PM
From: Adina Bodkins
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hi there, 

We are currently wondering the same thing, is there a way to make sure that you're not duplicating artifacts before you add them.  Has there been any updates with regards to this feature? Or any workarounds that will work from within the in-product scripting? 

Thanks, 

Adina 

------------------------------
Adina Bodkins

Original Message:
Sent: Tue February 26, 2019 10:01 AM
From: Austin Thomas
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Thank you Paul. This is unfortunate to hear. I will vote for the RFE.

------------------------------
Austin Thomas

Original Message:
Sent: 02-26-2019 09:02 AM
From: PAUL CURRAN
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hi Austin,

So in the in-product scripting editor, there is currently no way to do this. There is an RFE open on this point however, so please feel free to upvote it to see it in Resilient sooner: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-194

If you're talking about making a call from the implementation code of a function, then there is an incident artifact REST endpoint that you should be able to use for that. See usage details in the interactive REST API: http://<your-server>/docs/rest-api/ui/index.html#/IncidentArtifactREST

Hope this helps.
Paul.

------------------------------
PAUL CURRAN

Original Message:
Sent: 02-18-2019 04:12 PM
From: Austin Thomas
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hello,

I am working on some automation to automatically populate artifacts based on content found the description of the Resilient incident. I am looking for help on understanding if there is a way to run an API call on my script to check the value of existing artifacts before I add an artifact? I want to prevent artifacts being added if that value of artifact already exists (Not the artifact name or description but the value). 

Basically, is there a way for me to make a function call to grab, what I assume is a list/tuple, whatever current artifacts are in the case that the script is running against?

Thanks.

------------------------------
Austin Thomas
------------------------------

Hello Austin,

I did not check exactly the "how to", but I was wondering if using similar script like the one used in the email analysis, will not allow you to write your regex and create your artifacts, just like it is done when analysis the email ?

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Tue February 26, 2019 10:01 AM
From: Austin Thomas
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Thank you Paul. This is unfortunate to hear. I will vote for the RFE.

------------------------------
Austin Thomas

Original Message:
Sent: 02-26-2019 09:02 AM
From: PAUL CURRAN
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hi Austin,

So in the in-product scripting editor, there is currently no way to do this. There is an RFE open on this point however, so please feel free to upvote it to see it in Resilient sooner: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-194

If you're talking about making a call from the implementation code of a function, then there is an incident artifact REST endpoint that you should be able to use for that. See usage details in the interactive REST API: http://<your-server>/docs/rest-api/ui/index.html#/IncidentArtifactREST

Hope this helps.
Paul.

------------------------------
PAUL CURRAN

Original Message:
Sent: 02-18-2019 04:12 PM
From: Austin Thomas
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hello,

I am working on some automation to automatically populate artifacts based on content found the description of the Resilient incident. I am looking for help on understanding if there is a way to run an API call on my script to check the value of existing artifacts before I add an artifact? I want to prevent artifacts being added if that value of artifact already exists (Not the artifact name or description but the value). 

Basically, is there a way for me to make a function call to grab, what I assume is a list/tuple, whatever current artifacts are in the case that the script is running against?

Thanks.

------------------------------
Austin Thomas
------------------------------

Hi,
I've faced to the same issue.
I have an action that adds artifacts to the incident, and in some cases the action adds duplicate artifacts. So my question is that what is the reason to having duplicate artifacts?
I consider this feature should ignore an adding duplicate artifacts.
Moreover I think that it's a problem because I cannot manage artifacts except adding (from the Resilient platform and Object Type: Incident).
I can search and find duplicate through API from my Integration Server but it's not convinient.
Is there any updates about RFE?

------------------------------
Igor Talankin
------------------------------

Original Message:
Sent: Tue February 26, 2019 09:02 AM
From: Paul Curran
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hi Austin,

So in the in-product scripting editor, there is currently no way to do this. There is an RFE open on this point however, so please feel free to upvote it to see it in Resilient sooner: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-194

If you're talking about making a call from the implementation code of a function, then there is an incident artifact REST endpoint that you should be able to use for that. See usage details in the interactive REST API: http://<your-server>/docs/rest-api/ui/index.html#/IncidentArtifactREST

Hope this helps.
Paul.

------------------------------
PAUL CURRAN

Original Message:
Sent: 02-18-2019 04:12 PM
From: Austin Thomas
Subject: Resilient Scripting (Incident Script) - validating current artifact values

Hello,

I am working on some automation to automatically populate artifacts based on content found the description of the Resilient incident. I am looking for help on understanding if there is a way to run an API call on my script to check the value of existing artifacts before I add an artifact? I want to prevent artifacts being added if that value of artifact already exists (Not the artifact name or description but the value). 

Basically, is there a way for me to make a function call to grab, what I assume is a list/tuple, whatever current artifacts are in the case that the script is running against?

Thanks.

------------------------------
Austin Thomas
------------------------------