IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Script error when setting field value

    Posted Thu January 13, 2022 12:00 AM

    Hello! I'm working on script that parse inbound email and sets custom field with values provided in email. There is task and it's options field that I created myself. It has API Access Name = "approval".

    Script shows an error in line where I set the value of that field via
    incident.properties.approval = "Одобрено"

    Also tried to comment out lines where I setting fields and at least check if parser works correctly by adding notes, but I'm getting another error)


    Here is full code if needed:

    # -*- coding: utf8 -*-
    import re
    import datetime
    import time
    
    class EmailProcessor(object):
        emailContents = []
    
        def __init__(self):
            if (emailmessage.body.content is not None):
                self.emailContents.append(emailmessage.body.content)
            if (emailmessage.getBodyHtmlRaw() is not None):
                self.emailContents.append(emailmessage.getBodyHtmlRaw())
            if (len(self.emailContents) == 0):
                log.error("Email message has no contents!")
                
        def addBasicInfoToIncident(self):
            approver = emailmessage.sender.address
            list_approvers = ['approver1@mail.com', 'approver2@mail.com', 'approver3@mail.com']
            method = re.findall(r"(\w+):", self.emailContents[0], re.UNICODE)[0]
            #str(approver) in list_approvers
            if str(approver) in list_approvers:
              if method == "Одобрено":
                #incident.properties.approval = "Одобрено"
                incident.addNote("""Было согласовано {}""".format(approver))
              elif method == "Отклонено":
                #incident.properties.approval = "Отклонено"
                incident.addNote("""Было Отклонено {}""".format(approver))
              else:
                #incident.properties.approval = "Ошибка"
                incident.addNote("""Возникла ошибка {}""".format(approver))
            else:
              #incident.properties.approval = "Попытка изменения другим лицом"
              incident.addNote("""{} пытался изменить данное поле, хоть и не указан в списке ответсвенных лиц""".format(approver))
    
    processor = EmailProcessor()
    
    inc_id = int(re.findall(r"\d+", processor.emailContents[0], re.UNICODE)[0])
    
    query_builder.equals(fields.incident.id, inc_id)
    query = query_builder.build()
    incidents = helper.findIncidents(query)
    
    
    if len(incidents) == 0:
        log.info(u"Incident Not Found")
    else:
        # A similar incident already exists. Associate the email with this preexisting incident.
        log.info(u"Associating with existing incident {0}".format(incidents[0].id))
        processor.addBasicInfoToIncident()
    


    ------------------------------
    Magzhan Leskhan
    ------------------------------


  • 2.  RE: Script error when setting field value

    Posted Fri January 14, 2022 09:36 AM
    The data context of an Email parsing script does not have a top-level object called 'incident'. This code finds the incidents you are interested in:

    incidents = helper.findIncidents(query)
    
    
    if len(incidents) == 0:
        log.info(u"Incident Not Found")
    else:
        # A similar incident already exists. Associate the email with this preexisting incident.
        log.info(u"Associating with existing incident {0}".format(incidents[0].id))
        processor.addBasicInfoToIncident()​
    I think you need to pass the incident information as a parameter to the method addBasicInfoToIncident().

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------