IBM Security QRadar SOAR

Hi team,I have a rule which is working on "incident level". And this rule triggers a workflow which includes my custom function call.I want to develop a code on circuit side for checking all "artifacts" with loop. Menu-item rule should work on Incident level, and I need to loop all artifacts.
for instance:

for myartifact in incident.all_artifacts:
if myartifact.type=="blabla":
               ...

How can I do that? At the end of the day I am planning to query assetdb for all ip addresses which exists in this incident .Template function code attached.

------------------------------
Ali Okan Yuksel
------------------------------

Hi Ali,
Thank you for raising this in the community. 

To get all the artifacts for an incident, a REST API call is needed. This is the route for the call :
/orgs/{org_id}/incidents/{inc_id}/artifacts


Note that an incident id is needed to make this API call. When you define a rule on the incident level like you have done, the workflow associated with this rule will have access to the incident object which contains a field `incident.id'. The workflow invokes a function which in this case you have called 'check_asset_db'. I would suggest adding a Number field input to this function called 'incident_id' as this will allow you to pass the incident ID from the workflow to the function code you are showing here.

For an example of what this would look like, consider installing the fn_utilities app/integration which contains functions that use incident_id and will import a field for you meaning you don't have to define it yourself. 

With a function that has an incident_id input you will be able to use it to make the call to the REST API and gather all incidents. The python package resilient gives you a helper which will provide a rest client making API calls easier. This REST client uses the values contained in your app.config configuration file to make a connection to Resilient.

With all that said, here is a code snippet which will gather the artifacts from the REST client and allow you to iterate over them: 

# Get the function parameters:
incident_id = kwargs.get("incident_id")  # number
ip = kwargs.get("ip")  # string

log = logging.getLogger(__name__)
log.info("incident_id: %s", incident_id)

# Instantiate a rest client
res_client = self.rest_client()

# Get artifacts for this incident
artifacts = res_client.get("/incidents/%s/artifacts?handle_format=names" % incident_id)

for artifact in artifacts:
    # Do something with the artifact
    log.info(artifact)​

If this is what you're looking for could you 'Recommend' the answer or mark it as best answer so others can find this info in future. 

Hope this helps,
Ryan 

------------------------------
Ryan Gordon
Security Software Engineer
IBM
------------------------------

Original Message:
Sent: Sat May 23, 2020 06:35 PM
From: Ali Okan Yuksel
Subject: resilient-circuits: looping all artifacts in incident level

Hi team,I have a rule which is working on "incident level". And this rule triggers a workflow which includes my custom function call.I want to develop a code on circuit side for checking all "artifacts" with loop. Menu-item rule should work on Incident level, and I need to loop all artifacts.
for instance:

for myartifact in incident.all_artifacts:
if myartifact.type=="blabla":
               ...

How can I do that? At the end of the day I am planning to query assetdb for all ip addresses which exists in this incident .Template function code attached.

------------------------------
Ali Okan Yuksel
------------------------------

Hello Ryan,

Looks like '/orgs/{org_id}/incidents/{inc_id}/artifacts'  method is deprecated.

If you can share another example for filtering IP addresses only by using ' /rest/orgs/201/incidents/2095/artifacts/query_paged' method, I really appreciate.

I tested it works fine but I couldn't write a filter rule for getting only ip address or e-mail artifact type.


------------------------------
Ali Okan Yuksel
------------------------------

Original Message:
Sent: Mon May 25, 2020 04:09 AM
From: Ryan Gordon
Subject: resilient-circuits: looping all artifacts in incident level

Hi Ali,
Thank you for raising this in the community. 

To get all the artifacts for an incident, a REST API call is needed. This is the route for the call :
/orgs/{org_id}/incidents/{inc_id}/artifacts


Note that an incident id is needed to make this API call. When you define a rule on the incident level like you have done, the workflow associated with this rule will have access to the incident object which contains a field `incident.id'. The workflow invokes a function which in this case you have called 'check_asset_db'. I would suggest adding a Number field input to this function called 'incident_id' as this will allow you to pass the incident ID from the workflow to the function code you are showing here.

For an example of what this would look like, consider installing the fn_utilities app/integration which contains functions that use incident_id and will import a field for you meaning you don't have to define it yourself. 

With a function that has an incident_id input you will be able to use it to make the call to the REST API and gather all incidents. The python package resilient gives you a helper which will provide a rest client making API calls easier. This REST client uses the values contained in your app.config configuration file to make a connection to Resilient.

With all that said, here is a code snippet which will gather the artifacts from the REST client and allow you to iterate over them: 

# Get the function parameters:incident_id = kwargs.get("incident_id")  # numberip = kwargs.get("ip")  # stringlog = logging.getLogger(__name__)log.info("incident_id: %s", incident_id)# Instantiate a rest clientres_client = self.rest_client()# Get artifacts for this incidentartifacts = res_client.get("/incidents/%s/artifacts?handle_format=names" % incident_id)for artifact in artifacts:    # Do something with the artifact    log.info(artifact)​

If this is what you're looking for could you 'Recommend' the answer or mark it as best answer so others can find this info in future. 

Hope this helps,
Ryan 

------------------------------
Ryan Gordon
Security Software Engineer
IBM

Original Message:
Sent: Sat May 23, 2020 06:35 PM
From: Ali Okan Yuksel
Subject: resilient-circuits: looping all artifacts in incident level

Hi team,I have a rule which is working on "incident level". And this rule triggers a workflow which includes my custom function call.I want to develop a code on circuit side for checking all "artifacts" with loop. Menu-item rule should work on Incident level, and I need to loop all artifacts.
for instance:

for myartifact in incident.all_artifacts:
if myartifact.type=="blabla":
               ...

How can I do that? At the end of the day I am planning to query assetdb for all ip addresses which exists in this incident .Template function code attached.

------------------------------
Ali Okan Yuksel
------------------------------

I always find using the Resilient UI helps me understand what apis are available and how to use them.

Here is an example of performing a query filtering on an artifact type:

curl 'http://localhost:8080/rest/orgs/253/incidents/80699/artifacts/query_paged?threat_hit_prop_format=objects&include_related_incident_count=true' -H 'handle_format: ids' -H 'text_content_output_format: objects_convert' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: http://localhost:8080' -H 'Connection: keep-alive' -H 'Referer: http://localhost:8080/' --data-raw '{"sorts":[{"field_name":"created","type":"desc"}],"filters":[{"conditions":[{"field_name":"type","method":"in","value":["1452"]}]}],"start":0,"length":25}'

Typically it is possible to use names for the artifact types but unfortunately that doesn't work with this API (bug):

curl 'http://localhost:8080/rest/orgs/253/incidents/80699/artifacts/query_paged?threat_hit_prop_format=objects&include_related_incident_count=true' -H 'handle_format: ids' -H 'text_content_output_format: objects_convert' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: http://localhost:8080' -H 'Connection: keep-alive' -H 'Referer: http://localhost:8080/' --data-raw '{"sorts":[{"field_name":"created","type":"desc"}],"filters":[{"conditions":[{"field_name":"type","method":"in","value":["custom_artifact"]}]}],"start":0,"length":25}'

Ben



------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Tue May 26, 2020 04:07 PM
From: Ali Okan Yuksel
Subject: resilient-circuits: looping all artifacts in incident level

Hello Ryan,

Looks like '/orgs/{org_id}/incidents/{inc_id}/artifacts'  method is deprecated.

If you can share another example for filtering IP addresses only by using ' /rest/orgs/201/incidents/2095/artifacts/query_paged' method, I really appreciate.

I tested it works fine but I couldn't write a filter rule for getting only ip address or e-mail artifact type.


------------------------------
Ali Okan Yuksel

Original Message:
Sent: Mon May 25, 2020 04:09 AM
From: Ryan Gordon
Subject: resilient-circuits: looping all artifacts in incident level

Hi Ali,
Thank you for raising this in the community. 

To get all the artifacts for an incident, a REST API call is needed. This is the route for the call :
/orgs/{org_id}/incidents/{inc_id}/artifacts


Note that an incident id is needed to make this API call. When you define a rule on the incident level like you have done, the workflow associated with this rule will have access to the incident object which contains a field `incident.id'. The workflow invokes a function which in this case you have called 'check_asset_db'. I would suggest adding a Number field input to this function called 'incident_id' as this will allow you to pass the incident ID from the workflow to the function code you are showing here.

For an example of what this would look like, consider installing the fn_utilities app/integration which contains functions that use incident_id and will import a field for you meaning you don't have to define it yourself. 

With a function that has an incident_id input you will be able to use it to make the call to the REST API and gather all incidents. The python package resilient gives you a helper which will provide a rest client making API calls easier. This REST client uses the values contained in your app.config configuration file to make a connection to Resilient.

With all that said, here is a code snippet which will gather the artifacts from the REST client and allow you to iterate over them: 

# Get the function parameters:incident_id = kwargs.get("incident_id")  # numberip = kwargs.get("ip")  # stringlog = logging.getLogger(__name__)log.info("incident_id: %s", incident_id)# Instantiate a rest clientres_client = self.rest_client()# Get artifacts for this incidentartifacts = res_client.get("/incidents/%s/artifacts?handle_format=names" % incident_id)for artifact in artifacts:    # Do something with the artifact    log.info(artifact)​

If this is what you're looking for could you 'Recommend' the answer or mark it as best answer so others can find this info in future. 

Hope this helps,
Ryan 

------------------------------
Ryan Gordon
Security Software Engineer
IBM

Original Message:
Sent: Sat May 23, 2020 06:35 PM
From: Ali Okan Yuksel
Subject: resilient-circuits: looping all artifacts in incident level

Hi team,I have a rule which is working on "incident level". And this rule triggers a workflow which includes my custom function call.I want to develop a code on circuit side for checking all "artifacts" with loop. Menu-item rule should work on Incident level, and I need to loop all artifacts.
for instance:

for myartifact in incident.all_artifacts:
if myartifact.type=="blabla":
               ...

How can I do that? At the end of the day I am planning to query assetdb for all ip addresses which exists in this incident .Template function code attached.

------------------------------
Ali Okan Yuksel
------------------------------