Excellent question, I did not find where I could get either.
Long time ago, I did use the integration SEARCH from Utility Functions for SOAR
the idea was to look for other incident that had the same artifact, and from that "do something"
Preprocess was :
Resilient Search Template
=
{
"types": ["artifact"],
"filters": {
"incident": [{
"conditions": [{"field_name": "plan_status", "method": "in", "value": ["A"]}]
}]
}
}
Preprocess was :
# Search for other occurrences of the same file attachment in Resilient.
# The search template determines the type(s) of object to search, and the filter conditions.
# This can be used to search within a specific incident field, or to search only incidents that meet other criteria.
# Refer to SearchExInputDTO in the REST API documentation for additional details of this data structure.
# The search query can be a simple string.
inputs.resilient_search_query = artifact.value
Post Process was here to de-duplicate artifact (before this feature was incorporated by default in SOAR)
# Search results include "results", which is a list of the search hits.
# There might be lots of results!
# In this example we add a note with information about each result.
# for Debug only
##result_info = []
##result_info.append(u"<h4> Original info: Incident {} | Artifact Type: {} | Artifact ID: {}| Artifact Value: {}</h4>".format(incident.id, artifact.type, artifact.id, artifact.value))
duplicate = False
# incident.addNote(str(artifact.description))
for result in results.results:
# for Debug only - beware of ident
# link = u'<a href="https:///#incidents/{}">{}</a>'.format(result.inc_id, result.inc_name)
# result_info.append(u"<p>{} - {}</p>".format(link, result.obj_name))
# best output:
## result_info.append(u"<p> in details: Incident {} | Artifact Type: {} | Artifact ID: {} | Artifact Value: {}</p>".format(result.inc_id, result.result.type.name, result.result.id, unicode(result.result.value)))
# too global output:
# result_info.append(u"<p> result.result {} </p>".format(result.result))
if incident.id == result.inc_id and artifact.type == result.result.type.name and artifact.value == result.result.value and artifact.id > result.result.id:
# for Debug only
# result_info.append(u"<p> ==> Should be Deleted for duplicate artifact</p>")
low_text = "Current Artifact ID {} is a duplicate of Artifact ID {} and should be DELETED FOR DUPLICATE".format(artifact.id, result.result.id)
## result_info.append(u"<p> Current Artifact ID {} is a duplicate of Artifact ID {} and should be DELETED FOR DUPLICATE</p>".format(artifact.id, result.result.id))
if not duplicate:
duplicate = True
if artifact.description is None:
artifact.description = "{}".format(low_text)
else:
artifact.description = "{} \n {}".format(artifact.description["content"], low_text)
# for Debug only
##if len(result_info)==0:
## html = "<div>No results</div>"
##else:
## html = u"<div>{}</div>".format("".join(result_info))
# for Debug only
# uncomment the following to see the results of the search in
# Carefull : this note can be HUDGE with all from Resilient Database !!!
##incident.addNote(helper.createRichText(html))
#incident.addNote(str(results))
# for next step, add in a table before artifact deletion - currently don by inproduct scrupting
#dt = incident.addRow("deleted_artifacts")
#dt.artifact_id = artifact.id
#dt.type = artifact.type
#dt.value = artifact.value
#dt.description = artifact.description
#dt.comments = "{}".format(low_text)
with that you could do what is requested.
------------------------------
BENOIT ROSTAGNI
------------------------------
Original Message:
Sent: Tue September 21, 2021 07:32 AM
From: Fredrik Döring
Subject: Interacting with related incidents in Resilient/SOAR
Hi all!
My customer is using Resilient and is having difficulties in building an incidence rule that trigger on the presence (or absence) of related incident.
For example:
"If an incident has related incidents, add task A to the incident"
"If an incident has no related incidents, add task B to the incident"
They have tried to use both rules and scripts to accomplish this, but according to them it seems there are no rule trigger conditions for related incidents nor any ways of interacting with the related incidents of an incident via the Script engine. Is that true or is there a function to make this work?
Many thanks!
------------------------------
Fredrik
------------------------------