IBM Security QRadar SOAR

Hi,

I would like to know if it's posible to get the username or user identifier of the user who triggered a rule from Post-Process script of a Workflow. (User executes a Menu-Item Rule > Workflow is called > Note added after execution).

The idea is to add a note containing the user that launched some action.

I'm using principal.id but the user returned from there is the 'integrations' account.

Does anyone can help me?


Thanks,

Dídac.

------------------------------
Didac Cornet
------------------------------

Hi Didac,

Thank you for reaching out to us using our Community Forum!

If your appliance is running Resilient >= v32.0.0 you can make use of new functionality that was added to our in-product scripting.

In Scripts, we now expose workflow.addProperty(String <property_name>, Dict <property_value>) which add the property to workflow.properties

Using this as a solution to your question, follow the below example:

1. Create a Script Get Invoker and add the following code:

workflow.addProperty("invoker", {
  "email": principal.name,
  "display_name": principal.display_name
})​

2. Create a Workflow and insert Get Invoker at the start of the Workflow

3. Edit the post-process script of the last Function in the Workflow to add a Note to the Incident:

incident.addNote("{0} invoked this Workflow and their email is {1}".format(
  workflow.properties.invoker.display_name, workflow.properties.invoker.email))​

4. Run the Workflow, a Note should be added:


------------------------------
Shane Curtin
Integrations Engineer - IBM Resilient
------------------------------

Original Message:
Sent: 03-12-2019 06:35 AM
From: Didac Cornet
Subject: Get Username from within a Workflow

Hi,

I would like to know if it's posible to get the username or user identifier of the user who triggered a rule from Post-Process script of a Workflow. (User executes a Menu-Item Rule > Workflow is called > Note added after execution).

The idea is to add a note containing the user that launched some action.

I'm using principal.id but the user returned from there is the 'integrations' account.

Does anyone can help me?


Thanks,

Dídac.

------------------------------
Didac Cornet
------------------------------

​Thank you very much Shane.

Finally I've used
caller = event.message['principal']['name']
in a function in the Workflow and adding it to results as workaround. Then i get it from results output on Post-Process Script.

Great that you added that functionality in v32. We will update soon.

Thanks!

Didac.

------------------------------
Didac Cornet
------------------------------

Original Message:
Sent: 03-13-2019 01:01 PM
From: Shane Curtin
Subject: Get Username from within a Workflow

Hi Didac,

Thank you for reaching out to us using our Community Forum!

If your appliance is running Resilient >= v32.0.0 you can make use of new functionality that was added to our in-product scripting.

In Scripts, we now expose workflow.addProperty(String <property_name>, Dict <property_value>) which add the property to workflow.properties

Using this as a solution to your question, follow the below example:

1. Create a Script Get Invoker and add the following code:

workflow.addProperty("invoker", {  "email": principal.name,  "display_name": principal.display_name})​

2. Create a Workflow and insert Get Invoker at the start of the Workflow

3. Edit the post-process script of the last Function in the Workflow to add a Note to the Incident:

incident.addNote("{0} invoked this Workflow and their email is {1}".format(  workflow.properties.invoker.display_name, workflow.properties.invoker.email))​

4. Run the Workflow, a Note should be added:


------------------------------
Shane Curtin
Integrations Engineer - IBM Resilient

Original Message:
Sent: 03-12-2019 06:35 AM
From: Didac Cornet
Subject: Get Username from within a Workflow

Hi,

I would like to know if it's posible to get the username or user identifier of the user who triggered a rule from Post-Process script of a Workflow. (User executes a Menu-Item Rule > Workflow is called > Note added after execution).

The idea is to add a note containing the user that launched some action.

I'm using principal.id but the user returned from there is the 'integrations' account.

Does anyone can help me?


Thanks,

Dídac.

------------------------------
Didac Cornet
------------------------------