IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  How to avoid adding duplicate Artifacts to an Incident

    Posted Thu February 27, 2020 09:55 AM
    Hi all,

    In post-process script of one of my workflows, I am adding artifacts to the incident depending upon the results returned by my function. But even for the same value, type and description of the artifact, a new separate artifact is being created which is not very elegant from a UX perspective. 

    Is there any way to check by value, if an artifact already exists and then delete it before adding a new one with the same value? This way I can avoid adding duplicate artifacts or is there any other workaround for achieving the same.

    Thanks!

    ------------------------------
    Umair Ahmed
    ------------------------------


  • 2.  RE: How to avoid adding duplicate Artifacts to an Incident

    Posted Fri February 28, 2020 05:13 AM
    Edited by BENOIT ROSTAGNI Fri February 28, 2020 05:14 AM
      |   view attached
    Instead of creating directly the Artifact in post process, you could transmit it to a new function that will run after and check if the artifact exist.
    I have done it in 2 ways :
    - using the "search" function of fn_utilities : same incident ID, same Artifact Type, Same Artifact Value, Current Artifact ID (if artifact is already created)> Artifact ID from search ==> than it is a duplicate
    - using the "RestAPI" call of fn_utilities ==> Direct lookup in rest to the incident ID for same artifact.

    Note : some artifact with sub properties like Source IP / Destination IP or Registry Keys may find the same are I do not check (yet) those sup properties.

    You can ADAPT (Do not use directly in production) the process attached below, the use case is different an part of a bigger process.

    # Deduplicate Artifact - 11/12/2019 - Does not work for IP & Reg Keys (excluded for exceptions)
    Needs API key (See all functions in workflow, pre-process scripts. You can use the same API Key)
    Needs the update of Resilient URL & Org in the API call in the preprocess of each function in the Workflow
    Needs Apps : fn_utilities,
    resilient-circuits extract \
    --script "Add Deleted Artifact in Table" \
    --workflow "deduplicate_artifact" \
    --rule "Deduplicate Artifact" \
    -o config_deduplicate_artifacts.res --zip --exportfile export.res


    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Attachment(s)



  • 3.  RE: How to avoid adding duplicate Artifacts to an Incident

    Posted Fri January 22, 2021 11:26 AM
    This package is depreciated since v37.1
    https://www.ibm.com/support/knowledgecenter/SSBRUQ_37.0.0/doc/Release_Notes/Features_1.html

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------