IBM Security QRadar SOAR

 View Only

  • 1.  Can you append existing artefacts via Python?

    Posted Mon March 08, 2021 10:07 AM
    Hi All,

    Does anyone know of anyway to append already existing artefacts via python scripts?

    I can't seem to find any information or documentation regarding this topic? 

    Kind Regards,
    Josh

    ------------------------------
    Joshua Hall
    ------------------------------


  • 2.  RE: Can you append existing artefacts via Python?

    Posted Tue March 09, 2021 07:07 AM
    Can you elaborate on the use case you are trying to achieve? I'm not sure what it means to append to existing artifacts.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 3.  RE: Can you append existing artefacts via Python?

    Posted Tue March 09, 2021 11:40 AM
      |   view attached
    Hi Ben,

    Thank you for engaging with this question.

    We are currently using Resilient as a Phishing platform, any emails that are reported are automatically forwarded to Resilient and an incident is created with relevant artefacts.

    If you take a look at the image below (apologies for the red squiggles removing data). This is what is created.


    For example, In the "Value" tab one of the entries is "IPO ..." is there a way, utilizing python scripting, to go "If Value contains ("IPO)" then Value = "IPO"
    Another theoretical example might be "If Value contains "gmail.com" & Type = Email Sender" then Value = "Suspicious Gmail"

    I believe I may be explaining this incorrectly however it seems like there should be a function or method to change these? Even if it is not possible to change them is there a way to access the values and create a new artefact from them?

    The main problem is that we use Microsoft ATP which wraps the URLs in a safelink, it's a simple process to strip the URL down however I can't seem to find a way to get the data in the first place (such as in a varible or array). We have third party modules installed into Resilient (Like X-Force) that scan the URLs and returns a simple severity value however we don't want to be sending false links.

    If you need any more information please let me know.

    Thank you again.
    Kind Regards,
    Josh


    ------------------------------
    Joshua Hall
    ------------------------------

    Original Message


  • 4.  RE: Can you append existing artefacts via Python?

    Posted Tue March 09, 2021 12:00 PM
    Hi Josh - First, I hope Ben will not be offended if I offer a comment - no disrespect is intended.

    I suggest that by the time you have an Incident populated with Artifacts, it is too late to modify those Artifacts. The best option might well be to intervene before the Artifacts are created to alter values at that point.
    However that may not be possible if the processing that you describe as automatic is not open to modification.  However, by using the Resilient Restful API and initiating processing on Artifact creation, it would be entirely feasible to obtain Type and Value, determine if certain values are present and to create new Artifacts where appropriate.  Note that you might need to take steps that these new Artifacts did not initiate the same process of review and Artifact creation for fear of a cascade!

    Are you aware that the full Resilient API is documented online, within every Resilient installation?  Check out https://<your server>/docs/rest-api/index.html and look out for the ArtifactREST and IncidentArtifactREST sections.

    I hope this helps.

    Best regards -

    ------------------------------
    Edwin Bolton
    ------------------------------

    Original Message


  • 5.  RE: Can you append existing artefacts via Python?

    Posted Tue March 09, 2021 12:38 PM
    Hi Edwin,

    Many thanks for the response.

    Apparently the REST api documentation has completely flown over my head despite searching through different search engines multiple times. 

    Just quickly scanning it seems to hold more or less what i'm looking for, i'll take a look over and it try to implement the solution.

    Thanks again!

    Kind Regards,
    Josh

    ------------------------------
    Joshua Hall
    ------------------------------

    Original Message


  • 6.  RE: Can you append existing artefacts via Python?

    Posted Tue March 09, 2021 12:54 PM
    As Edwin has indicated it is not possible to change the value of existing artifacts. You can certainly create new artifacts from them and delete the existing ones. The best way to do that may depend on your process flow.

    It is possible to create new artifacts using In Product scripting: incident.addArtifact(). But it wouldn't be possible to delete existing artifacts using an in product script. You would have to use the Resilient API to do that. You can use the Resilient API by building your own App or an external program.

    It looks like you are using the inbound email feature with the inbound email script to process them? If so, you could change the email parsing script to generate the correct artifacts from the get go.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 7.  RE: Can you append existing artefacts via Python?

    Posted Wed March 10, 2021 04:56 AM
    Just fyi to reduce duplication of artifacts, when a user adds an artifact that is the same type and value as an existing artifact, the artifact is updated and the description is appended to the existing one.

    ------------------------------
    Leo Kuo
    ------------------------------

    Original Message