Hi Ali,
Thank you for raising this in the community.
To get all the artifacts for an incident, a REST API call is needed. This is the route for the call :
/orgs/{org_id}/incidents/{inc_id}/artifacts
Note that an incident id is needed to make this API call. When you define a rule on the incident level like you have done, the workflow associated with this rule will have access to the incident object which contains a field `incident.id'. The workflow invokes a function which in this case you have called 'check_asset_db'. I would suggest adding a Number field input to this function called 'incident_id' as this will allow you to pass the incident ID from the workflow to the function code you are showing here.
For an example of what this would look like, consider installing the fn_utilities app/integration which contains functions that use incident_id and will import a field for you meaning you don't have to define it yourself.
With a function that has an incident_id input you will be able to use it to make the call to the REST API and gather all incidents. The python package resilient gives you a helper which will provide a rest client making API calls easier. This REST client uses the values contained in your app.config configuration file to make a connection to Resilient.
With all that said, here is a code snippet which will gather the artifacts from the REST client and allow you to iterate over them:
incident_id = kwargs.get("incident_id")
ip = kwargs.get("ip")
log = logging.getLogger(__name__)
log.info("incident_id: %s", incident_id)
res_client = self.rest_client()
artifacts = res_client.get("/incidents/%s/artifacts?handle_format=names" % incident_id)
for artifact in artifacts:
log.info(artifact)
If this is what you're looking for could you 'Recommend' the answer or mark it as best answer so others can find this info in future. Hope this helps,Ryan ------------------------------
Ryan Gordon
Security Software Engineer
IBM
------------------------------
Original Message:
Sent: Sat May 23, 2020 06:35 PM
From: Ali Okan Yuksel
Subject: resilient-circuits: looping all artifacts in incident level
Hi team,I have a rule which is working on "incident level". And this rule triggers a workflow which includes my custom function call.I want to develop a code on circuit side for checking all "artifacts" with loop. Menu-item rule should work on Incident level, and I need to loop all artifacts.
for instance:
for myartifact in incident.all_artifacts:
if myartifact.type=="blabla":
...
How can I do that? At the end of the day I am planning to query assetdb for all ip addresses which exists in this incident .Template function code attached.
------------------------------
Ali Okan Yuksel
------------------------------