IBM Security SOAR

Expand all | Collapse all

Menu Item Rules for Multiple Artifacts instead of one by one

  • 1.  Menu Item Rules for Multiple Artifacts instead of one by one

    Posted 13 days ago

    We using Resilient V40.1, We have more than 1500 artifacts which belongs to Different IP-Address, Range, Segment etc


    When we execute the action / workflow like blocking ip-address on a firewall , we need to do for each every ip-address one by one using menu-item rules.


    We do not want to create automatic rules, our team need to validate the ip-address/IoC based on threat intelligence lookups.


    Is there anyway to select multiple ip-address and execute the menu item rules at a time for selected 100 ip-address, so it will work in loop ? or any other way to achieve this.



    ------------------------------
    Sunil I B
    ------------------------------


  • 2.  RE: Menu Item Rules for Multiple Artifacts instead of one by one

    Posted 13 days ago
    Hi Sunil,

    There's an RFE open about this idea here: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-455

    This is definitely a feature our team would love to see implemented too.

    One idea that I have is that you could create some kind of flag field ~'Do the IP addresses in this incident need to be blocked by the Firewall?' and include it within a task in the incident. Then you could make an automatic rule that would have the condition 'when the field above is set to True' run a workflow that blocks the IP addresses in the firewall. The analysts would need to be trained on that the question should only be answered after the IOCs have been validated. Not going to be helpful with any of the IP addresses / IOCs you have stacked up, but it could help in the future!

    ------------------------------
    Liam Mahoney
    ------------------------------



  • 3.  RE: Menu Item Rules for Multiple Artifacts instead of one by one

    Posted 12 days ago
    Hi Liam Mahoney, 

    Thanks for the response, meantime any other alternative or workaround approach available ?




    ------------------------------
    Sunil I B
    ------------------------------