IBM Security QRadar SOAR

 View Only
  • 1.  Resilient customizations - Have you seen these before?

    Posted Thu October 15, 2020 12:38 PM
    I am looking to add some functionality into resilient for:

    1. Highest rating – store the highest rating recorded for the rating field
    2. Searching artifacts through api call without calling incidents specifically
    3. Tag artifacts with threat rating, confidence, and threat actor
    4. New incident creation - ldap lookup user based on username while entering the case in resilient

    Has anyone come across these requests before? How did you handle them within resilient?

    ------------------------------
    Mohammad Anwar
    ------------------------------


  • 2.  RE: Resilient customizations - Have you seen these before?

    Posted Tue October 27, 2020 01:14 PM
    Hi Mohammed
    Apologies for the delay in getting back to you.
    I have reached out to our development team for some guidance.

    ------------------------------
    John Quirke
    ------------------------------



  • 3.  RE: Resilient customizations - Have you seen these before?

    Posted Thu November 12, 2020 09:53 AM
    Please fin below some responses to your request.
    Highest rating – store the highest rating recorded for the rating field
    it is a question of multiple rules and script to do the logic. I have done an example using this TLP (Traffic Light Protocol) template Green > White > Amber > Red.
    Attached is a config file example and the doc that explain how to use it.

    Searching artifacts through api call without calling incidents specifically
    I did use the fn_utilities : Utilities Resilient Search functions and workflow to achieve that.
    Some hint for you there:
    resilient_search_template
    {
    "types": ["artifact"],
    "filters": {
    "incident": [{
    "conditions": [{"field_name": "plan_status", "method": "in", "value": ["A"]}]
    }]
    }
    }
    Pre process script = inputs.resilient_search_query = artifact.value

    Post Process:
    NOTE: this function will give you access to ALL Incident, even if you are not a member of the incident, as it is run with the user/apykey of the integration server /apphost. So the result may show incidents the user have no access to.
    NOTE2: the result can be VERY BIG. Be sure you filter the result just to show what is expected
    Example of my filter in post process, looking for duplicate artifact (before it was added as default check in Resilient v37):
    duplicate = False
    for result in results.results:
        if incident.id == result.inc_id and artifact.type == result.result.type.name and artifact.value == result.result.value and artifact.id > result.result.id:
            low_text = "Current Artifact ID {} is a duplicate of Artifact ID {} and should be DELETED FOR DUPLICATE".format(artifact.id, result.result.id)
           if not duplicate:
               duplicate = True
               if artifact.description is None:
                 artifact.description = "{}".format(low_text)
               else:
                 artifact.description = "{} \n {}".format(artifact.description["content"], low_text)
    below my complete code with debug part:


    Tag artifacts with threat rating, confidence, and threat actor
    Currently, (until v39) you can just add those information in artifact description json field, and look into it by "contains" rule, like the example in TLP attached.
    Custom artifact fields and tagging artifact will be introduced starting v39. Stay tune on new features.

    New incident creation - ldap lookup user based on username while entering the case in resilient
    Classic LDAP lookup rule => workflow automation

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Attachment(s)