IBM Security QRadar SOAR

Hi all!

My customer is using Resilient and is having difficulties in building an incidence rule that trigger on the presence (or absence) of related incident.
For example:
"If an incident has related incidents, add task A to the incident"
"If an incident has no related incidents, add task B to the incident"

They have tried to use both rules and scripts to accomplish this, but according to them it seems there are no rule trigger conditions for related incidents nor any ways of interacting with the related incidents of an incident via the Script engine. Is that true or is there a function to make this work?

Many thanks!

------------------------------
Fredrik
------------------------------

Excellent question, I did not find where I could get either.
Long time ago, I did use the integration SEARCH from Utility Functions for SOAR
the idea was to look for other incident that had the same artifact, and from that "do something"

Preprocess was :
Resilient Search Template =
{
"types": ["artifact"],
"filters": {
"incident": [{
"conditions": [{"field_name": "plan_status", "method": "in", "value": ["A"]}]
}]
}
}


Preprocess was :
# Search for other occurrences of the same file attachment in Resilient.

# The search template determines the type(s) of object to search, and the filter conditions.
# This can be used to search within a specific incident field, or to search only incidents that meet other criteria.
# Refer to SearchExInputDTO in the REST API documentation for additional details of this data structure.

# The search query can be a simple string.
inputs.resilient_search_query = artifact.value


Post Process was here to de-duplicate artifact (before this feature was incorporated by default in SOAR)

# Search results include "results", which is a list of the search hits.
# There might be lots of results!

# In this example we add a note with information about each result.
# for Debug only
##result_info = []
##result_info.append(u"<h4> Original info: Incident {} | Artifact Type: {} | Artifact ID: {}| Artifact Value: {}</h4>".format(incident.id, artifact.type, artifact.id, artifact.value))

duplicate = False
# incident.addNote(str(artifact.description))

for result in results.results:
# for Debug only - beware of ident
# link = u'<a href="https:///#incidents/{}">{}</a>'.format(result.inc_id, result.inc_name)
# result_info.append(u"<p>{} - {}</p>".format(link, result.obj_name))
# best output:
## result_info.append(u"<p> in details: Incident {} | Artifact Type: {} | Artifact ID: {} | Artifact Value: {}</p>".format(result.inc_id, result.result.type.name, result.result.id, unicode(result.result.value)))
# too global output:
# result_info.append(u"<p> result.result {} </p>".format(result.result))
if incident.id == result.inc_id and artifact.type == result.result.type.name and artifact.value == result.result.value and artifact.id > result.result.id:
# for Debug only
# result_info.append(u"<p> ==> Should be Deleted for duplicate artifact</p>")
low_text = "Current Artifact ID {} is a duplicate of Artifact ID {} and should be DELETED FOR DUPLICATE".format(artifact.id, result.result.id)
## result_info.append(u"<p> Current Artifact ID {} is a duplicate of Artifact ID {} and should be DELETED FOR DUPLICATE</p>".format(artifact.id, result.result.id))
if not duplicate:
duplicate = True
if artifact.description is None:
artifact.description = "{}".format(low_text)
else:
artifact.description = "{} \n {}".format(artifact.description["content"], low_text)

# for Debug only
##if len(result_info)==0:
## html = "<div>No results</div>"
##else:
## html = u"<div>{}</div>".format("".join(result_info))

# for Debug only
# uncomment the following to see the results of the search in
# Carefull : this note can be HUDGE with all from Resilient Database !!!
##incident.addNote(helper.createRichText(html))
#incident.addNote(str(results))

# for next step, add in a table before artifact deletion - currently don by inproduct scrupting
#dt = incident.addRow("deleted_artifacts")
#dt.artifact_id = artifact.id
#dt.type = artifact.type
#dt.value = artifact.value
#dt.description = artifact.description
#dt.comments = "{}".format(low_text)

with that you could do what is requested.

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Tue September 21, 2021 07:32 AM
From: Fredrik Döring
Subject: Interacting with related incidents in Resilient/SOAR

Hi all!

My customer is using Resilient and is having difficulties in building an incidence rule that trigger on the presence (or absence) of related incident.
For example:
"If an incident has related incidents, add task A to the incident"
"If an incident has no related incidents, add task B to the incident"

They have tried to use both rules and scripts to accomplish this, but according to them it seems there are no rule trigger conditions for related incidents nor any ways of interacting with the related incidents of an incident via the Script engine. Is that true or is there a function to make this work?

Many thanks!

------------------------------
Fredrik
------------------------------

Thank you Benoit! I will show this to my customer which hopefully can bring them closer to what they want to achieve.

------------------------------
Fredrik Döring
------------------------------

Original Message:
Sent: Tue September 21, 2021 10:57 AM
From: BENOIT ROSTAGNI
Subject: Interacting with related incidents in Resilient/SOAR

Excellent question, I did not find where I could get either.
Long time ago, I did use the integration SEARCH from Utility Functions for SOAR
the idea was to look for other incident that had the same artifact, and from that "do something"

Preprocess was :
Resilient Search Template =
{
"types": ["artifact"],
"filters": {
"incident": [{
"conditions": [{"field_name": "plan_status", "method": "in", "value": ["A"]}]
}]
}
}


Preprocess was :
# Search for other occurrences of the same file attachment in Resilient.

# The search template determines the type(s) of object to search, and the filter conditions.
# This can be used to search within a specific incident field, or to search only incidents that meet other criteria.
# Refer to SearchExInputDTO in the REST API documentation for additional details of this data structure.

# The search query can be a simple string.
inputs.resilient_search_query = artifact.value


Post Process was here to de-duplicate artifact (before this feature was incorporated by default in SOAR)

# Search results include "results", which is a list of the search hits.
# There might be lots of results!

# In this example we add a note with information about each result.
# for Debug only
##result_info = []
##result_info.append(u"<h4> Original info: Incident {} | Artifact Type: {} | Artifact ID: {}| Artifact Value: {}</h4>".format(incident.id, artifact.type, artifact.id, artifact.value))

duplicate = False
# incident.addNote(str(artifact.description))

for result in results.results:
# for Debug only - beware of ident
# link = u'<a href="https:///#incidents/{}">{}</a>'.format(result.inc_id, result.inc_name)
# result_info.append(u"<p>{} - {}</p>".format(link, result.obj_name))
# best output:
## result_info.append(u"<p> in details: Incident {} | Artifact Type: {} | Artifact ID: {} | Artifact Value: {}</p>".format(result.inc_id, result.result.type.name, result.result.id, unicode(result.result.value)))
# too global output:
# result_info.append(u"<p> result.result {} </p>".format(result.result))
if incident.id == result.inc_id and artifact.type == result.result.type.name and artifact.value == result.result.value and artifact.id > result.result.id:
# for Debug only
# result_info.append(u"<p> ==> Should be Deleted for duplicate artifact</p>")
low_text = "Current Artifact ID {} is a duplicate of Artifact ID {} and should be DELETED FOR DUPLICATE".format(artifact.id, result.result.id)
## result_info.append(u"<p> Current Artifact ID {} is a duplicate of Artifact ID {} and should be DELETED FOR DUPLICATE</p>".format(artifact.id, result.result.id))
if not duplicate:
duplicate = True
if artifact.description is None:
artifact.description = "{}".format(low_text)
else:
artifact.description = "{} \n {}".format(artifact.description["content"], low_text)

# for Debug only
##if len(result_info)==0:
## html = "<div>No results</div>"
##else:
## html = u"<div>{}</div>".format("".join(result_info))

# for Debug only
# uncomment the following to see the results of the search in
# Carefull : this note can be HUDGE with all from Resilient Database !!!
##incident.addNote(helper.createRichText(html))
#incident.addNote(str(results))

# for next step, add in a table before artifact deletion - currently don by inproduct scrupting
#dt = incident.addRow("deleted_artifacts")
#dt.artifact_id = artifact.id
#dt.type = artifact.type
#dt.value = artifact.value
#dt.description = artifact.description
#dt.comments = "{}".format(low_text)

with that you could do what is requested.

------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Tue September 21, 2021 07:32 AM
From: Fredrik Döring
Subject: Interacting with related incidents in Resilient/SOAR

Hi all!

My customer is using Resilient and is having difficulties in building an incidence rule that trigger on the presence (or absence) of related incident.
For example:
"If an incident has related incidents, add task A to the incident"
"If an incident has no related incidents, add task B to the incident"

They have tried to use both rules and scripts to accomplish this, but according to them it seems there are no rule trigger conditions for related incidents nor any ways of interacting with the related incidents of an incident via the Script engine. Is that true or is there a function to make this work?

Many thanks!

------------------------------
Fredrik
------------------------------

I don't know if there is a function to fulfill their need, but Resilient does provide an API (/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/related_incidents/query_paged) to query the related incidents for an artifact, so they can create a custom function to call the API and add the task in the post-process script. As Resilient uses artifact to relate the incidents so instead of setting up incident rule, they can set up artifact rule to execute a workflow with the custom function when an artifact is created.

------------------------------
Gilbert Liao
------------------------------

Original Message:
Sent: Tue September 21, 2021 07:32 AM
From: Fredrik Döring
Subject: Interacting with related incidents in Resilient/SOAR

Hi all!

My customer is using Resilient and is having difficulties in building an incidence rule that trigger on the presence (or absence) of related incident.
For example:
"If an incident has related incidents, add task A to the incident"
"If an incident has no related incidents, add task B to the incident"

They have tried to use both rules and scripts to accomplish this, but according to them it seems there are no rule trigger conditions for related incidents nor any ways of interacting with the related incidents of an incident via the Script engine. Is that true or is there a function to make this work?

Many thanks!

------------------------------
Fredrik
------------------------------

I have an idea in the Aha idea portal here to improve the query_builder method available within in-product scripting. Feel free to +1 the idea.

I believe that method would be an excellent spot for related incidents to be queryable. I'll add a comment for that.

https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-464

------------------------------
Jared Fagel
Cyber Security Analyst
ALLETE Inc.
------------------------------

Original Message:
Sent: Thu September 23, 2021 03:46 AM
From: Gilbert Liao
Subject: Interacting with related incidents in Resilient/SOAR

I don't know if there is a function to fulfill their need, but Resilient does provide an API (/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/related_incidents/query_paged) to query the related incidents for an artifact, so they can create a custom function to call the API and add the task in the post-process script. As Resilient uses artifact to relate the incidents so instead of setting up incident rule, they can set up artifact rule to execute a workflow with the custom function when an artifact is created.

------------------------------
Gilbert Liao

Original Message:
Sent: Tue September 21, 2021 07:32 AM
From: Fredrik Döring
Subject: Interacting with related incidents in Resilient/SOAR

Hi all!

My customer is using Resilient and is having difficulties in building an incidence rule that trigger on the presence (or absence) of related incident.
For example:
"If an incident has related incidents, add task A to the incident"
"If an incident has no related incidents, add task B to the incident"

They have tried to use both rules and scripts to accomplish this, but according to them it seems there are no rule trigger conditions for related incidents nor any ways of interacting with the related incidents of an incident via the Script engine. Is that true or is there a function to make this work?

Many thanks!

------------------------------
Fredrik
------------------------------

We also have plan to allow script to access artifact's related incident count , which should be helpful. Hope can deliver it soon.

------------------------------
Gilbert Liao
------------------------------

Original Message:
Sent: Tue September 21, 2021 07:32 AM
From: Fredrik Döring
Subject: Interacting with related incidents in Resilient/SOAR

Hi all!

My customer is using Resilient and is having difficulties in building an incidence rule that trigger on the presence (or absence) of related incident.
For example:
"If an incident has related incidents, add task A to the incident"
"If an incident has no related incidents, add task B to the incident"

They have tried to use both rules and scripts to accomplish this, but according to them it seems there are no rule trigger conditions for related incidents nor any ways of interacting with the related incidents of an incident via the Script engine. Is that true or is there a function to make this work?

Many thanks!

------------------------------
Fredrik
------------------------------