IBM Security SOAR

Expand all | Collapse all

Update Proposal: QRadar's Resilient App

  • 1.  Update Proposal: QRadar's Resilient App

    Posted Mon October 07, 2019 06:09 PM
    Edited by Jared Fagel Mon October 07, 2019 06:12 PM
    Being as the source code for this app is not on GitHub, I thought this the best place to post this. I hope someone on the Resilient-side can get this to the correct group.

    In QRadar's app for Resilient, I'd like to propose changes to the check_actions_configured() method in "\app\apis\resilient_helpers.py" -- specifically to the "qradar_automatic_actions" dictionary object that is used to push/verify automatic actions to/in Resilient.


    Current:
    qradar_automatic_actions = {"close_offense": ("qradar_app", "Incident", ({u"type": None,
    u"field_name": u"incident.plan_status",
    u"method": u"changed_to",
    u"value": u"C"},)),
    "qradar_note": ("qradar_app", "Note", ())}

    Proposed:
    qradar_automatic_actions = {"close_offense": ("qradar_app", "Incident", ({u"type": None, u"field_name": u"incident.plan_status", u"method": u"changed_to", u"value": u"C"}, {u"type": None, u"field_name": u"incident." + str(self.qradar_id_fieldname), u"method": u"has_a_value"})), "qradar_note": ("qradar_app", "Note", ({u"type": None, u"field_name": u"incident." + str(self.qradar_id_fieldname), u"method": u"has_a_value"}))}

    Purpose:
    This will ensure that these automatic actions only fire on QRadar-sourced incidents. Currently they fire on every incident (not well implemented) and then the app checks if the QRadar Offense ID field (qradar_id) exists and is valid later within the find_qradar_incidents() method via a call to self.has_qradar_id() and then via self.qradar_id_fieldname.

    Alternative solution:
    Remove the existing_conditions check in the validate_or_create_automatic_action() method, which would allow for users to add their own conditions to these automatic actions. I'd imagine there was a reason this check was implemented, but I'm unsure what it was.

    Disclaimer:
    I have not tested this change. Engineering will need to test and ensure this is implemented correctly. I'm unclear as to the purpose of "type" within the conditions, nor do I see a way to specify "All" vs "Any" conditions, perhaps this is what "type" is for? I was unable to locate documentation on this.

    Aha.io
    I posted this as an idea in the Aha.io portal in February, but today I decided to look through the source code myself to determine where the change needs to be implemented in an effort to expedite this and help out the engineer devs.

    ------------------------------
    Jared Fagel
    Cyber Security Analyst Intern
    Public Utility
    ------------------------------


  • 2.  RE: Update Proposal: QRadar's Resilient App

    Posted Thu October 17, 2019 11:18 AM
    Hey @Mark Scherfling can you take a look at this and let me know what you think?

    Jared​

    ------------------------------
    Jared Fagel
    Cyber Security Analyst Intern
    Public Utility
    ------------------------------



  • 3.  RE: Update Proposal: QRadar's Resilient App

    Posted Fri October 18, 2019 07:37 AM
    Hi Jared,

    We have taken a look and reviewed the Qradar Plugin code you are talking about and
    determined that this is a good idea to add this condition to the rules.  We plan to implement
    your suggestion in a near future release.  Thanks for the input!

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 4.  RE: Update Proposal: QRadar's Resilient App

    Posted Tue October 22, 2019 04:34 PM
    Glad to hear. Thanks @AnnMarie Norcross

    ------------------------------
    Jared Fagel
    Cyber Security Analyst Intern
    Public Utility
    ------------------------------



  • 5.  RE: Update Proposal: QRadar's Resilient App

    Posted 29 days ago
    I wanted to poke this old thread as the change I noted was made, but something that has still stood the test of time is the use of hardcoded action names ("qradar_action_fields" in resilient_helpers.py).

    It would be ideal if the action names could be renamed by end users, and rather than referencing them via name in the app code, they could be stored/referenced via either their action ID (.id) or API name (.view_items.content)

    Any opinions on this?

    ------------------------------
    Jared Fagel
    Cyber Security Analyst
    ALLETE Inc.
    ------------------------------