Hi Ben,
Thank you for engaging with this question.
We are currently using Resilient as a Phishing platform, any emails that are reported are automatically forwarded to Resilient and an incident is created with relevant artefacts.
If you take a look at the image below (apologies for the red squiggles removing data). This is what is created.
For example, In the "Value" tab one of the entries is "IPO ..." is there a way, utilizing python scripting, to go "If Value contains ("IPO)" then Value = "IPO"
Another theoretical example might be "If Value contains "gmail.com" & Type = Email Sender" then Value = "Suspicious Gmail"
I believe I may be explaining this incorrectly however it seems like there should be a function or method to change these? Even if it is not possible to change them is there a way to access the values and create a new artefact from them?
The main problem is that we use Microsoft ATP which wraps the URLs in a safelink, it's a simple process to strip the URL down however I can't seem to find a way to get the data in the first place (such as in a varible or array). We have third party modules installed into Resilient (Like X-Force) that scan the URLs and returns a simple severity value however we don't want to be sending false links.
If you need any more information please let me know.
Thank you again.
Kind Regards,
Josh
------------------------------
Joshua Hall
------------------------------
Original Message:
Sent: Tue March 09, 2021 07:07 AM
From: Ben Lurie
Subject: Can you append existing artefacts via Python?
Can you elaborate on the use case you are trying to achieve? I'm not sure what it means to append to existing artifacts.
Ben
------------------------------
Ben Lurie
Original Message:
Sent: Mon March 08, 2021 10:07 AM
From: Joshua Hall
Subject: Can you append existing artefacts via Python?
Hi All,
Does anyone know of anyway to append already existing artefacts via python scripts?
I can't seem to find any information or documentation regarding this topic?
Kind Regards,
Josh
------------------------------
Joshua Hall
------------------------------