IBM Security QRadar SOAR

 View Only

  • 1.  Doubts about ldap query

    Posted Thu June 25, 2020 12:25 PM

    I need to look for other fields in the LDAP query besides the standards, is it possible? (image 1 attached).

    Also, is it possible to send an email to the username with a warning or something from that button? (image 2 attached).



    ------------------------------
    Vítor Fagundes Alves Nogueira
    ------------------------------


  • 2.  RE: Doubts about ldap query

    Posted Fri June 26, 2020 08:18 AM
    Edited by System Thu November 11, 2021 11:15 AM
      |   view attached
    Yep, in both cases, the answer is yes.

    1. You need to modify pre and post process scripts to achieving it. Check the screenshot.
    2. You can leverage the outband email function for the purpose. https://exchange.xforce.ibmcloud.com/hub/extension/caafba4e4f6d130e7db30ed4d5e53504

    BR,
    Alex


    ------------------------------
    Alexander Saulenko
    ------------------------------

    Original Message


  • 3.  RE: Doubts about ldap query

    Posted Fri June 26, 2020 09:00 AM
    Thanks a lot for the help! I'll try to do it here, anything I get in touch with a comment here.

    ------------------------------
    Vítor Fagundes Alves Nogueira
    ------------------------------

    Original Message


  • 4.  RE: Doubts about ldap query

    Posted Fri June 26, 2020 09:22 AM
    Just like Alexander stated you should be able to do both of the things you want with some customization.

    We do ours against a Data table row being added so on a DataTable object.

    For the LDAP extension in the preprocess script you can build it with any fields that are searching against in your Active Directory.
    inputs.ldap_search_base = "dc=your_doamin,dc=com"
    inputs.ldap_search_filter = "(objectSid={})".format(row.user_added_local_admin_dt)
    inputs.ldap_search_attributes = "sAMAccountName,objectSid" <-- These are the fields you want to search against

    In the post process script you can write out the return to see all the fields in a note using something like this:
    if len(results['entries']) > 0:
        incident.addNote(results['entries'])

    Then once you figure out the parts you want to do modify the data table and add columns for those new fields or new fields.
    row.general_qr_description = results['entries'][0]['description'] <-- this adds the persons description field back to the row in a description column.

    Emailing a User:
    Actions can have functions that do almost anything - if you haven't looked at the app exchange for the outbound email connector I would look at that (linked in Alexander's post). Then you can use the action on the row to trigger an email being sent manually or you could do it automatically in a workflow.

    ------------------------------
    Richard Giesige
    Security Engineer
    Oshkosh Corporation
    Oshkosh
    ------------------------------

    Original Message


  • 5.  RE: Doubts about ldap query

    Posted Mon June 29, 2020 01:24 PM
    Hi, 

    about the code you said in which I have to write as search results in a note, the script does not execute giving the error:

    An error occurred while processing the action acknowledgement. Additional information: Post-processing script for Function 'LDAP Utilities: Search' from Workflow 'Example: LDAP Utilities: Search' was unable to complete because: addNote(): 1st arg can't be coerced to com.co3.json.content.TextContentDTO


    can you help me?

    ------------------------------
    Vítor Fagundes Alves Nogueira
    ------------------------------

    Original Message


  • 6.  RE: Doubts about ldap query

    Posted Mon June 29, 2020 01:50 PM
    Vitor,

    Sorry I didn't get to this sooner, sorry that wasn't the fully correct code. Below should be one that works properly.

    Did you try wrapping the result in a string like this: 

    if len(results['entries']) > 0:
        incident.addNote(str(results['entries']))

    ------------------------------
    Richard Giesige
    Security Engineer
    Oshkosh Corporation
    Oshkosh
    ------------------------------

    Original Message


  • 7.  RE: Doubts about ldap query

    Posted Tue June 30, 2020 02:20 PM
    Hi

    the code worked in the sense that it didn't trigger any errors, but it just adds the note of the fields that are present in the LDAP table. In this case, I needed to know what are all the fields that I can bring to the LDAP search.

    ------------------------------
    Vítor Fagundes Alves Nogueira
    ------------------------------

    Original Message


  • 8.  RE: Doubts about ldap query

    Posted Tue June 30, 2020 03:23 PM
    Hi,

    I managed to bring all the fields in a note, but when I am going to modify the script after the process, all the fields that I try trigger an error saying that the fields do not exist

    ------------------------------
    Vítor Fagundes Alves Nogueira
    ------------------------------

    Original Message


  • 9.  RE: Doubts about ldap query

    Posted Thu July 02, 2020 09:11 AM
    Edited by Richard Giesige Thu July 02, 2020 09:11 AM
    Vitor,

    From your other posts I'm guessing you started to figure this out but if they are custom fields then you need to do something like 

    incident.properties.{field api name} = results['entries'][{field you want to add}] 

    When you type in the post-process script you will see it try to autofill which should help you figure out the field names if you don't remember it off the top of your head.

    ------------------------------
    Richard Giesige
    Security Engineer
    Oshkosh Corporation
    Oshkosh
    ------------------------------

    Original Message