IBM Security QRadar SOAR

Hi All,

We have recently started using Resilient and the features and power it provides are incredible, however we have run into one small hitch regarding 365 ATP links. We would like them to be decoded and added to the artefact list instead of grabbing the whole link - we would like to avoid this because we are linking Resilient to 3rd party sources such as X-Force Exchange and we don't want to be sending these "safe" links off to be inspected.

The example link at the bottom of this post shows what appears in the artefacts, there are tools online that decode these for you however the real links are wrapped in the safesearch link between "*?url=" and "&amp*" 

A really basic python script of:

insert re

url = ""

result = re.search('url\=(.*?)\&amp', url)
print(result.group(1))​

Will strip 99% of the data away and return "https%3A%2F%2Fwww.youtube.com" even this would be better than the safelink as it can be more easily read by the human eye. From here we could do a "re.sub(%2F,  "/", "url") and so on until we have a fixed link.

The current thought process is as follows:

1) Python script to strip the useless data away
The first problem appears on how to achieve this:
1a) Run this code when the email is parsed
1b) Run this code and append the artefact after the incident/artefacts have been created

The problem is neither of these work as multiple errors get thrown up (From Not Callable to Empty Strings and so on). 

So the question I propose is are we going about this the right way? Is there a more sensible route to take or can this even be done? I believe the python script is the best way but at the moment I appear to be hitting a brick wall.

If the 1b) would be the appropriate path to progress down is there any information / documentation on how to use a python script to append already created artefacts?

Any help would be much appreciated.

Kind Regards,
Josh

Example Link:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com&data=%7Cc4e27a3a2ec240f5163008d8ce9db36d%7Ca4602a1363944af38822d426c6075a8f%7C0%7C0%7C637486523999735954%7CUnknown%7CTWFpbGZsb3d8eyJWCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YFYg3szKQ39IKtQi76%2Fi3al85XlVZtjykXgFLoz6ROA%3D&reserved=0

------------------------------
Joshua Hall
------------------------------

Hi Joshua,

Since release v39 of Resilient, scripts can now run using a python 3 scripting engine. This engine has more capabilities compared to the python-2 engine, such as allowing more python packages you can import. This script works to unquote the hex encoded parts of a url:

import urllib.parse
incident.addArtifact("URL", urllib.parse.unquote("https%3A%2F%2Fwww.youtube.com")

------------------------------
Mark Scherfling
------------------------------

Original Message:
Sent: Mon February 22, 2021 12:17 PM
From: Joshua Hall
Subject: Office 365 ATP Safelink Decode

Hi All,

We have recently started using Resilient and the features and power it provides are incredible, however we have run into one small hitch regarding 365 ATP links. We would like them to be decoded and added to the artefact list instead of grabbing the whole link - we would like to avoid this because we are linking Resilient to 3rd party sources such as X-Force Exchange and we don't want to be sending these "safe" links off to be inspected.

The example link at the bottom of this post shows what appears in the artefacts, there are tools online that decode these for you however the real links are wrapped in the safesearch link between "*?url=" and "&amp*" 

A really basic python script of:

insert reurl = ""result = re.search('url\=(.*?)\&amp', url)print(result.group(1))​

Will strip 99% of the data away and return "https%3A%2F%2Fwww.youtube.com" even this would be better than the safelink as it can be more easily read by the human eye. From here we could do a "re.sub(%2F,  "/", "url") and so on until we have a fixed link.

The current thought process is as follows:

1) Python script to strip the useless data away
The first problem appears on how to achieve this:
1a) Run this code when the email is parsed
1b) Run this code and append the artefact after the incident/artefacts have been created

The problem is neither of these work as multiple errors get thrown up (From Not Callable to Empty Strings and so on). 

So the question I propose is are we going about this the right way? Is there a more sensible route to take or can this even be done? I believe the python script is the best way but at the moment I appear to be hitting a brick wall.

If the 1b) would be the appropriate path to progress down is there any information / documentation on how to use a python script to append already created artefacts?

Any help would be much appreciated.

Kind Regards,
Josh

Example Link:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com&data=%7Cc4e27a3a2ec240f5163008d8ce9db36d%7Ca4602a1363944af38822d426c6075a8f%7C0%7C0%7C637486523999735954%7CUnknown%7CTWFpbGZsb3d8eyJWCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YFYg3szKQ39IKtQi76%2Fi3al85XlVZtjykXgFLoz6ROA%3D&reserved=0

------------------------------
Joshua Hall
------------------------------