IBM Security QRadar SOAR

Hi all,

In post-process script of one of my workflows, I am adding artifacts to the incident depending upon the results returned by my function. But even for the same value, type and description of the artifact, a new separate artifact is being created which is not very elegant from a UX perspective. 

Is there any way to check by value, if an artifact already exists and then delete it before adding a new one with the same value? This way I can avoid adding duplicate artifacts or is there any other workaround for achieving the same.

Thanks!

------------------------------
Umair Ahmed
------------------------------

Instead of creating directly the Artifact in post process, you could transmit it to a new function that will run after and check if the artifact exist.
I have done it in 2 ways :
- using the "search" function of fn_utilities : same incident ID, same Artifact Type, Same Artifact Value, Current Artifact ID (if artifact is already created)> Artifact ID from search ==> than it is a duplicate
- using the "RestAPI" call of fn_utilities ==> Direct lookup in rest to the incident ID for same artifact.

Note : some artifact with sub properties like Source IP / Destination IP or Registry Keys may find the same are I do not check (yet) those sup properties.

You can ADAPT (Do not use directly in production) the process attached below, the use case is different an part of a bigger process.

# Deduplicate Artifact - 11/12/2019 - Does not work for IP & Reg Keys (excluded for exceptions)
Needs API key (See all functions in workflow, pre-process scripts. You can use the same API Key)
Needs the update of Resilient URL & Org in the API call in the preprocess of each function in the Workflow
Needs Apps : fn_utilities,
resilient-circuits extract \
--script "Add Deleted Artifact in Table" \
--workflow "deduplicate_artifact" \
--rule "Deduplicate Artifact" \
-o config_deduplicate_artifacts.res --zip --exportfile export.res


------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Thu February 27, 2020 09:55 AM
From: Umair Ahmed
Subject: How to avoid adding duplicate Artifacts to an Incident

Hi all,

In post-process script of one of my workflows, I am adding artifacts to the incident depending upon the results returned by my function. But even for the same value, type and description of the artifact, a new separate artifact is being created which is not very elegant from a UX perspective. 

Is there any way to check by value, if an artifact already exists and then delete it before adding a new one with the same value? This way I can avoid adding duplicate artifacts or is there any other workaround for achieving the same.

Thanks!

------------------------------
Umair Ahmed
------------------------------

This package is depreciated since v37.1
https://www.ibm.com/support/knowledgecenter/SSBRUQ_37.0.0/doc/Release_Notes/Features_1.html

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Fri February 28, 2020 05:13 AM
From: BENOIT ROSTAGNI
Subject: How to avoid adding duplicate Artifacts to an Incident

Instead of creating directly the Artifact in post process, you could transmit it to a new function that will run after and check if the artifact exist.
I have done it in 2 ways :
- using the "search" function of fn_utilities : same incident ID, same Artifact Type, Same Artifact Value, Current Artifact ID (if artifact is already created)> Artifact ID from search ==> than it is a duplicate
- using the "RestAPI" call of fn_utilities ==> Direct lookup in rest to the incident ID for same artifact.

Note : some artifact with sub properties like Source IP / Destination IP or Registry Keys may find the same are I do not check (yet) those sup properties.

You can ADAPT (Do not use directly in production) the process attached below, the use case is different an part of a bigger process.

# Deduplicate Artifact - 11/12/2019 - Does not work for IP & Reg Keys (excluded for exceptions)
Needs API key (See all functions in workflow, pre-process scripts. You can use the same API Key)
Needs the update of Resilient URL & Org in the API call in the preprocess of each function in the Workflow
Needs Apps : fn_utilities,
resilient-circuits extract \
--script "Add Deleted Artifact in Table" \
--workflow "deduplicate_artifact" \
--rule "Deduplicate Artifact" \
-o config_deduplicate_artifacts.res --zip --exportfile export.res


------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Thu February 27, 2020 09:55 AM
From: Umair Ahmed
Subject: How to avoid adding duplicate Artifacts to an Incident

Hi all,

In post-process script of one of my workflows, I am adding artifacts to the incident depending upon the results returned by my function. But even for the same value, type and description of the artifact, a new separate artifact is being created which is not very elegant from a UX perspective. 

Is there any way to check by value, if an artifact already exists and then delete it before adding a new one with the same value? This way I can avoid adding duplicate artifacts or is there any other workaround for achieving the same.

Thanks!

------------------------------
Umair Ahmed
------------------------------