IBM Security QRadar SOAR

 View Only

  • 1.  Help with Use Case Updating a Data Table

    Posted Wed November 11, 2020 04:25 PM
    I have a use case that I am using which leverages fn_qradar_integration that dumps data into a data table from an artifact which seems I could also store in an output to use downstream. I can output the data to a data table fine but I'd like to see if someone is familiar with how to take the output into a downstream function (fn_utilities | shell command) input parameter which then updates my data table rows with results.

    Ideal Workflow:
    1) Function (fn_qradar_integration) collects data from a QRadar query and stores values to output and creates a data table.

    Example of what is returned:
    Result: {'events': [{u'Cyber_Detection_ID': '8179f649-c73a-4ee0-8710-5c2b856cf86a'}, {u'Cyber_Detection_ID': 'd4786850-7db1-44ac-80a2-8ed6abde8b11'}, {u'Cyber_Detection_ID': 'a2329d38-e500-4fbd-85da-a6ef71013da0'}, {u'Cyber_Detection_ID': '99bf9791-96d6-4488-965e-68add4ad35d9'}, {u'Cyber_Detection_ID': '0a8c0d1d-9028-4032-8bfb-bb28b87fb232'}, {u'Cyber_Detection_ID': '55429e87-4750-43b7-9000-43e727414996'}]}

    2) Downstream function (fn_utilities | Shell Command) uses an output from the first function and passes as input(s) for shell_param1.
    3) Post-process for my 2nd function referenced above would then take the results and update the data table rows for unpopulated fields that have the Cyber_Detection_ID (data returned from first function).

    I'm open to other ideas on doing this which might be more efficient but I'm looking to avoid adding as artifacts so if it adds as notes, that's fine. I'm just not sure how to do it. Seems that the Data Table Helper function may help but thought I'd ask here first. Thanks!

    ------------------------------
    Mr Coco
    ------------------------------


  • 2.  RE: Help with Use Case Updating a Data Table

    Posted Thu November 12, 2020 04:56 AM
    If both functions are contained within the same workflow, you could try using workflow.properties to store data that will be accessible downstream.
    https://www.ibm.com/support/knowledgecenter/SSBRUQ_38.0.0/doc/playbook/resilient_playbook_configwrkflows_functions_postprocess.html

    The post process script for fn_qradar_integration would add the results as a dictionary similar to this
    workflow.addProperty('resultOfFunction1', {
  'events': [
    {'Cyber_Detection_ID': '8179f649-c73a-4ee0-8710-5c2b856cf86a'},
    {'Cyber_Detection_ID': '55429e87-4750-43b7-9000-43e727414996'}
  ]
})​

    Any downstream script can access the stored properties like so
    events = workflow.properties['resultOfFunction1']['events']


    ------------------------------
    Sean Mc Cann
    ------------------------------

    Original Message


  • 3.  RE: Help with Use Case Updating a Data Table

    Posted Thu November 12, 2020 08:35 AM
    1) From the original Function (fn_qradar_integration) collects data from a QRadar query and stores values to output and creates a data table, I will have one row for each result like: Cyber_Detection_ID   |    8179f649-c73a-4ee0-8710-5c2b856cf86a    |   Output results to be populated later
    2) Another rule, when a line is added into this "Cyber Detection table" will launch the Shell Command with the Cyber detection ID to run.
    If 5 row, then the shell is launched 5 times !
    The result of the shell populated the 3 column with the result expected, or new artifact, or delete the row if needed.



    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message


  • 4.  RE: Help with Use Case Updating a Data Table

    Posted Thu November 12, 2020 09:53 AM
    Thanks gentlemen for the quick response. Benoit or Sean, if I was to do this with my 2nd rule being a data table rule how do I tell the Post-process to update existing rows? I'm not really seeing how to connect that piece. I can get my output into a new data table row but not matched up to the row where Cyber_Detection_ID exists.

    ------------------------------
    Mr Coco
    ------------------------------

    Original Message


  • 5.  RE: Help with Use Case Updating a Data Table

    Posted Thu November 12, 2020 10:41 AM
    You are making the WF call from a row in a table.
    So all the workflow knows where you are.
    At any time, post process or script called by this workflow knows on which row you are.

    You can just change a value like below:
    row['remediation_state'] = 'Remediated'
    incident.addNote("From Ticketing system: the system ID: " + str(row['system_id']) + " from user " + str(row['owner']) +" has been set to " + str(row['remediation_state']))

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message


  • 6.  RE: Help with Use Case Updating a Data Table

    Posted Thu November 12, 2020 11:55 AM
    Edited by Mr Coco Thu November 12, 2020 11:57 AM
    Thanks Benoit!

    The row['columnname'] was exactly what I needed. I haven't done a lot of data table workflows so that was the missing link for me. Good idea on the remediation state as this will also help me track when something has been checked / updated.

    My fix was to just add:
    row['columnname'] = 'Checked'
    row['usecasecolumnname'] = str(results.stdout)

    Thanks again. This community is fantastic!!!


    ------------------------------
    Mr Coco
    ------------------------------

    Original Message