IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Binary data for artifact type "RFC822 Email Message File" or "X509 Certificate File"

  • 1.  Binary data for artifact type "RFC822 Email Message File" or "X509 Certificate File"

    Posted Sun December 01, 2019 11:37 PM
    Supposing that Custom Threat Source will respond with "upload_file":true.

    When we create the artifact for "RFC822 Email Message File" or "X509 Certificate File", we associate a file as attachment.
    With these cases, only file names were passed to the Custom Threat Source rather than sending file binary data in my environment.

    The following are the examples observed in my resilient34 environment.

    {"type":"cert.x509","value":"V34_9.68.70.87_cacert.cer"}
    {"type":"email","value":"emailmessage-1.txt"}

    So I wonder if there are some Resilient configurations necessary to send the binary data.

    I think binary data should be the entities to be evaluated for Custom Threat Source.

    ------------------------------
    Yohji Amano
    ------------------------------


  • 2.  RE: Binary data for artifact type "RFC822 Email Message File" or "X509 Certificate File"

    Posted Fri December 06, 2019 04:39 PM

    Hi Yohji,

    The contents of an artifact attachment are not sent through to the custom threat service as you observed. An API call back to resilient is needed for that data retrieval.  We've added this capability into resilient-lib.get_file_attachment.  Here's the signature:

    get_file_attachment(res_client, incident_id, artifact_id=None, task_id=None, attachment_id=None)

    We wrote this for functions where the reset_client, incident_id and artifact_id where easily passed down. Unfortunately, I don't see enough information passed through the event object to acquire incident_id and artifact_id.
    Can you instead perform this capability in a function?



    ------------------------------
    Mark Scherfling
    ------------------------------