IBM Security QRadar SOAR

I am writing a function where the conditions will be as following 

If incident type = malware then perform X action . How to get this working as I am unable to get the incident type in python code / scripts / and pre processing script .

------------------------------
Mohsin Ali
------------------------------

It sounds like you are writing a custom Function? If so, you want to create a Text input field for the function that would have the list of incident types as a string. Then, when the Function is used in a Playbook the function inputs are set using a script.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Tue October 12, 2021 10:10 AM
From: Mohsin Ali
Subject: Conditions based on Incident Type

I am writing a function where the conditions will be as following 

If incident type = malware then perform X action . How to get this working as I am unable to get the incident type in python code / scripts / and pre processing script .

------------------------------
Mohsin Ali
------------------------------

Go to the customisation>field
in the search bar look for incident and select incident type
You can see the api name used when you run scripts

to run your action, go to customization > rule > new > menu item and select on which object type you want to run the rule (incident, artifact...)
on condiction, select the field incident type  + has one off and the types you want malware for example;
and run the script or the workflow you wich

if the action is in a script (or use python list conditions):
if incident.incident_type_ids == "Malware":










------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Tue October 12, 2021 10:10 AM
From: Mohsin Ali
Subject: Conditions based on Incident Type

I am writing a function where the conditions will be as following 

If incident type = malware then perform X action . How to get this working as I am unable to get the incident type in python code / scripts / and pre processing script .

------------------------------
Mohsin Ali
------------------------------

hello @BENOIT ROSTAGNI

As you said the we can use API name of incident type id. so we can try to used that but still facing the same issue. I have attached the screenshot of the script.​



------------------------------
Asad Aftab
------------------------------

Original Message:
Sent: Wed October 13, 2021 05:19 PM
From: BENOIT ROSTAGNI
Subject: Conditions based on Incident Type

Go to the customisation>field
in the search bar look for incident and select incident type
You can see the api name used when you run scripts

to run your action, go to customization > rule > new > menu item and select on which object type you want to run the rule (incident, artifact...)
on condiction, select the field incident type  + has one off and the types you want malware for example;
and run the script or the workflow you wich

if the action is in a script (or use python list conditions):
if incident.incident_type_ids == "Malware":










------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Tue October 12, 2021 10:10 AM
From: Mohsin Ali
Subject: Conditions based on Incident Type

I am writing a function where the conditions will be as following 

If incident type = malware then perform X action . How to get this working as I am unable to get the incident type in python code / scripts / and pre processing script .

------------------------------
Mohsin Ali
------------------------------

The value of incident.incident_type_ids is a list, not a singular value. So use '==' won't work. Use the 'in' keyword instead:

if 'bentest' in incident.incident_type_ids:

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Fri October 15, 2021 02:16 AM
From: Asad Aftab
Subject: Conditions based on Incident Type

hello @BENOIT ROSTAGNI

As you said the we can use API name of incident type id. so we can try to used that but still facing the same issue. I have attached the screenshot of the script.​



------------------------------
Asad Aftab

Original Message:
Sent: Wed October 13, 2021 05:19 PM
From: BENOIT ROSTAGNI
Subject: Conditions based on Incident Type

Go to the customisation>field
in the search bar look for incident and select incident type
You can see the api name used when you run scripts

to run your action, go to customization > rule > new > menu item and select on which object type you want to run the rule (incident, artifact...)
on condiction, select the field incident type  + has one off and the types you want malware for example;
and run the script or the workflow you wich

if the action is in a script (or use python list conditions):
if incident.incident_type_ids == "Malware":










------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Tue October 12, 2021 10:10 AM
From: Mohsin Ali
Subject: Conditions based on Incident Type

I am writing a function where the conditions will be as following 

If incident type = malware then perform X action . How to get this working as I am unable to get the incident type in python code / scripts / and pre processing script .

------------------------------
Mohsin Ali
------------------------------

Opps!  Sorry guys, I was too quick when I answer

Thanks Ben :)

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Fri October 15, 2021 08:42 AM
From: Ben Lurie
Subject: Conditions based on Incident Type

The value of incident.incident_type_ids is a list, not a singular value. So use '==' won't work. Use the 'in' keyword instead:

if 'bentest' in incident.incident_type_ids:

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Fri October 15, 2021 02:16 AM
From: Asad Aftab
Subject: Conditions based on Incident Type

hello @BENOIT ROSTAGNI

As you said the we can use API name of incident type id. so we can try to used that but still facing the same issue. I have attached the screenshot of the script.​



------------------------------
Asad Aftab

Original Message:
Sent: Wed October 13, 2021 05:19 PM
From: BENOIT ROSTAGNI
Subject: Conditions based on Incident Type

Go to the customisation>field
in the search bar look for incident and select incident type
You can see the api name used when you run scripts

to run your action, go to customization > rule > new > menu item and select on which object type you want to run the rule (incident, artifact...)
on condiction, select the field incident type  + has one off and the types you want malware for example;
and run the script or the workflow you wich

if the action is in a script (or use python list conditions):
if incident.incident_type_ids == "Malware":










------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Tue October 12, 2021 10:10 AM
From: Mohsin Ali
Subject: Conditions based on Incident Type

I am writing a function where the conditions will be as following 

If incident type = malware then perform X action . How to get this working as I am unable to get the incident type in python code / scripts / and pre processing script .

------------------------------
Mohsin Ali
------------------------------

The problem I am having is that the condition always evaluates to true. Even if the incident type is Malware and I set a condition to run if the incident type is Data Loss, it will always run because Data Loss is a valid member of incident.incident_type_ids even if it is not set as the incident type.

------------------------------
Rene McQuick
------------------------------

Original Message:
Sent: Fri October 15, 2021 08:42 AM
From: Ben Lurie
Subject: Conditions based on Incident Type

The value of incident.incident_type_ids is a list, not a singular value. So use '==' won't work. Use the 'in' keyword instead:

if 'bentest' in incident.incident_type_ids:

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Fri October 15, 2021 02:16 AM
From: Asad Aftab
Subject: Conditions based on Incident Type

hello @BENOIT ROSTAGNI

As you said the we can use API name of incident type id. so we can try to used that but still facing the same issue. I have attached the screenshot of the script.​



------------------------------
Asad Aftab

Original Message:
Sent: Wed October 13, 2021 05:19 PM
From: BENOIT ROSTAGNI
Subject: Conditions based on Incident Type

Go to the customisation>field
in the search bar look for incident and select incident type
You can see the api name used when you run scripts

to run your action, go to customization > rule > new > menu item and select on which object type you want to run the rule (incident, artifact...)
on condiction, select the field incident type  + has one off and the types you want malware for example;
and run the script or the workflow you wich

if the action is in a script (or use python list conditions):
if incident.incident_type_ids == "Malware":










------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Tue October 12, 2021 10:10 AM
From: Mohsin Ali
Subject: Conditions based on Incident Type

I am writing a function where the conditions will be as following 

If incident type = malware then perform X action . How to get this working as I am unable to get the incident type in python code / scripts / and pre processing script .

------------------------------
Mohsin Ali
------------------------------