IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Expand all | Collapse all

Resilient - Create an Incident without emailmessage.createnewincident function

  • 1.  Resilient - Create an Incident without emailmessage.createnewincident function

    Posted Tue January 14, 2020 01:17 PM
    I am currently trying to create new incidents from artifacts that are already part of an incident. Are there other ways to create incidents in the post-process script, backend (FunctionComponent) or in a Script?

    ------------------------------
    Kunal Matthews
    ------------------------------


  • 2.  RE: Resilient - Create an Incident without emailmessage.createnewincident function

    Posted Wed January 15, 2020 04:36 AM

    Hi Kunal,

    The way I would handle this in function code would be to use the resilient client to access the artifact endpoint, search through the artifact properties to find which artifacts you want to add to the next incident. Please consult the REST API when making these calls (Double check with curl's and edit endpoint strings for your need) to confirm the expected behaviour, this is not meant to be a complete code, just a logical schema:

    res_client = self.rest_client()
    incident_str = '/incidents/{incident_id}/'.format(incident_id=incident_id)
    artifact_str = '/incidents/{incident_id}/artifacts'.format(incident_id=incident_id)
    add_incident_str = '/orgs/{org_id}/incidents'.format(org_id=org_id)

    content = res_client.get(incident_str)
    art_content = res_client.get(artifact_str)

    """Search artifacts for what you want"""
    if art_content[i]['properties'][0]['name'] in ('source', 'destination', '<your criteria>'):
    details_payload.add(i, art_content[i])
    log.info("Artifact added ".format(art_content[i]))

    new_incident = res_client.post(add_incident_str)
    new_inc_response = res_client.post('/incidents/{incident_id}/artifacts'.format(new_incident['id']), body=details_payload)

    """send back payload"""

    results = payload.done(success=True, content=new_inc_response)
    ​​​​​​

    ------------------------------
    Sean OGorman
    ------------------------------