Being as the source code for this app is not on GitHub, I thought this the best place to post this. I hope someone on the Resilient-side can get this to the correct group.
In
QRadar's app for Resilient, I'd like to propose changes to the check_actions_configured() method in "\app\apis\resilient_helpers.py" -- specifically to the "qradar_automatic_actions" dictionary object that is used to push/verify automatic actions to/in Resilient.
Current:
qradar_automatic_actions = {"close_offense": ("qradar_app", "Incident", ({u"type": None,
u"field_name": u"incident.plan_status",
u"method": u"changed_to",
u"value": u"C"},)),
"qradar_note": ("qradar_app", "Note", ())}
Proposed:
qradar_automatic_actions = {"close_offense": ("qradar_app", "Incident", ({u"type": None, u"field_name": u"incident.plan_status", u"method": u"changed_to", u"value": u"C"}, {u"type": None, u"field_name": u"incident." + str(self.qradar_id_fieldname), u"method": u"has_a_value"})), "qradar_note": ("qradar_app", "Note", ({u"type": None, u"field_name": u"incident." + str(self.qradar_id_fieldname), u"method": u"has_a_value"}))}
Purpose:This will ensure that these automatic actions only fire on QRadar-sourced incidents. Currently they fire on every incident (not well implemented) and then the app checks if the QRadar Offense ID field (qradar_id) exists and is valid later within the find_qradar_incidents() method via a call to self.has_qradar_id() and then via self.qradar_id_fieldname.
Alternative solution:Remove the existing_conditions check in the validate_or_create_automatic_action() method, which would allow for users to add their own conditions to these automatic actions. I'd imagine there was a reason this check was implemented, but I'm unsure what it was.
Disclaimer:I have not tested this change. Engineering will need to test and ensure this is implemented correctly. I'm unclear as to the purpose of "type" within the conditions, nor do I see a way to specify "All" vs "Any" conditions, perhaps this is what "type" is for? I was unable to locate documentation on this.
Aha.io
I posted this as an
idea in the Aha.io portal in February, but today I decided to look through the source code myself to determine where the change needs to be implemented in an effort to expedite this and help out the engineer devs.
------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
------------------------------