Resilient

Expand all | Collapse all

Resilient Scripting (Incident Script) - validating current artifact values

  • 1.  Resilient Scripting (Incident Script) - validating current artifact values

    Posted Mon February 18, 2019 04:13 PM
    Edited by Austin Thomas Mon February 18, 2019 05:49 PM
    Hello,

    I am working on some automation to automatically populate artifacts based on content found the description of the Resilient incident. I am looking for help on understanding if there is a way to run an API call on my script to check the value of existing artifacts before I add an artifact? I want to prevent artifacts being added if that value of artifact already exists (Not the artifact name or description but the value). 

    Basically, is there a way for me to make a function call to grab, what I assume is a list/tuple, whatever current artifacts are in the case that the script is running against?

    Thanks.

    ------------------------------
    Austin Thomas
    ------------------------------


  • 2.  RE: Resilient Scripting (Incident Script) - validating current artifact values

    Posted Tue February 26, 2019 09:02 AM
    Hi Austin,

    So in the in-product scripting editor, there is currently no way to do this. There is an RFE open on this point however, so please feel free to upvote it to see it in Resilient sooner: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-194

    If you're talking about making a call from the implementation code of a function, then there is an incident artifact REST endpoint that you should be able to use for that. See usage details in the interactive REST API: http://<your-server>/docs/rest-api/ui/index.html#/IncidentArtifactREST

    Hope this helps.
    Paul.

    ------------------------------
    PAUL CURRAN
    ------------------------------



  • 3.  RE: Resilient Scripting (Incident Script) - validating current artifact values

    Posted Tue February 26, 2019 10:02 AM
    Thank you Paul. This is unfortunate to hear. I will vote for the RFE.

    ------------------------------
    Austin Thomas
    ------------------------------



  • 4.  RE: Resilient Scripting (Incident Script) - validating current artifact values

    Posted 9 days ago

    Hi there, 

    We are currently wondering the same thing, is there a way to make sure that you're not duplicating artifacts before you add them.  Has there been any updates with regards to this feature? Or any workarounds that will work from within the in-product scripting? 

    Thanks, 

    Adina 



    ------------------------------
    Adina Bodkins
    ------------------------------



  • 5.  RE: Resilient Scripting (Incident Script) - validating current artifact values

    Posted 6 days ago
      |   view attached
    Hello Adina,

    I have worked an artifact deduplicating fonction using the fn-utilities RestAPI function.
    It is not complete/exact as it just looks at artifact type and artifact value, and NO other artifact properties like source/destination of IP's or others like Value Name/Value Data on Registry Keys.

    You can try it "as it is" in pre-production and update it for more controls before production.


    Res file build by:
    # Deduplicate Artifact
    Needs API key (See all functions in workflow, pre-process scripts. You can use the same API Key)
    Needs the update of Resilient URL & Org in the API call in the preprocess of each function in the Workflow
    Needs Apps : fn_utilities,
    resilient-circuits extract \
    --workflow "deduplicate_artifact" \
    --rule "Deduplicate Artifact" \
    -o config_deduplicate_artifacts.res --zip --exportfile export.res

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Attachment(s)



  • 6.  RE: Resilient Scripting (Incident Script) - validating current artifact values

    Posted 6 days ago
    Hello Austin,

    I did not check exactly the "how to", but I was wondering if using similar script like the one used in the email analysis, will not allow you to write your regex and create your artifacts, just like it is done when analysis the email ?

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------