Instead of creating directly the Artifact in post process, you could transmit it to a new function that will run after and check if the artifact exist.
I have done it in 2 ways :
- using the "search" function of fn_utilities : same incident ID, same Artifact Type, Same Artifact Value, Current Artifact ID (if artifact is already created)> Artifact ID from search ==> than it is a duplicate
- using the "RestAPI" call of fn_utilities ==> Direct lookup in rest to the incident ID for same artifact.
Note : some artifact with sub properties like Source IP / Destination IP or Registry Keys may find the same are I do not check (yet) those sup properties.
You can ADAPT (Do not use directly in production) the process attached below, the use case is different an part of a bigger process.
# Deduplicate Artifact - 11/12/2019 - Does not work for IP & Reg Keys (excluded for exceptions)
Needs API key (See all functions in workflow, pre-process scripts. You can use the same API Key)
Needs the update of Resilient URL & Org in the API call in the preprocess of each function in the Workflow
Needs Apps : fn_utilities,
resilient-circuits extract \
--script "Add Deleted Artifact in Table" \
--workflow "deduplicate_artifact" \
--rule "Deduplicate Artifact" \
-o config_deduplicate_artifacts.res --zip --exportfile export.res
------------------------------
BENOIT ROSTAGNI
------------------------------
Original Message:
Sent: Thu February 27, 2020 09:55 AM
From: Umair Ahmed
Subject: How to avoid adding duplicate Artifacts to an Incident
Hi all,
In post-process script of one of my workflows, I am adding artifacts to the incident depending upon the results returned by my function. But even for the same value, type and description of the artifact, a new separate artifact is being created which is not very elegant from a UX perspective.
Is there any way to check by value, if an artifact already exists and then delete it before adding a new one with the same value? This way I can avoid adding duplicate artifacts or is there any other workaround for achieving the same.
Thanks!
------------------------------
Umair Ahmed
------------------------------