IBM Security Resilient

Expand all | Collapse all

How to avoid adding duplicate Artifacts to an Incident

  • 1.  How to avoid adding duplicate Artifacts to an Incident

    Posted Thu February 27, 2020 09:55 AM
    Hi all,

    In post-process script of one of my workflows, I am adding artifacts to the incident depending upon the results returned by my function. But even for the same value, type and description of the artifact, a new separate artifact is being created which is not very elegant from a UX perspective. 

    Is there any way to check by value, if an artifact already exists and then delete it before adding a new one with the same value? This way I can avoid adding duplicate artifacts or is there any other workaround for achieving the same.

    Thanks!

    ------------------------------
    Umair Ahmed
    ------------------------------


  • 2.  RE: How to avoid adding duplicate Artifacts to an Incident

    Posted Fri February 28, 2020 05:13 AM
    Edited by BENOIT ROSTAGNI Fri February 28, 2020 05:14 AM
      |   view attached
    Instead of creating directly the Artifact in post process, you could transmit it to a new function that will run after and check if the artifact exist.
    I have done it in 2 ways :
    - using the "search" function of fn_utilities : same incident ID, same Artifact Type, Same Artifact Value, Current Artifact ID (if artifact is already created)> Artifact ID from search ==> than it is a duplicate
    - using the "RestAPI" call of fn_utilities ==> Direct lookup in rest to the incident ID for same artifact.

    Note : some artifact with sub properties like Source IP / Destination IP or Registry Keys may find the same are I do not check (yet) those sup properties.

    You can ADAPT (Do not use directly in production) the process attached below, the use case is different an part of a bigger process.

    # Deduplicate Artifact - 11/12/2019 - Does not work for IP & Reg Keys (excluded for exceptions)
    Needs API key (See all functions in workflow, pre-process scripts. You can use the same API Key)
    Needs the update of Resilient URL & Org in the API call in the preprocess of each function in the Workflow
    Needs Apps : fn_utilities,
    resilient-circuits extract \
    --script "Add Deleted Artifact in Table" \
    --workflow "deduplicate_artifact" \
    --rule "Deduplicate Artifact" \
    -o config_deduplicate_artifacts.res --zip --exportfile export.res


    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Attachment(s)