IBM QRadar SOAR

Hello Experts,

is there any possibility to create artifacts based off fields?

Example:

A new incident is being created with the field "Affected Host" which is an IP address. This IP address should then automatically be added as an artifact to the artifacts table with the right type.

Or is there a possibilty to add artifacts during the "New Incident wizard" already? - i cannot add the artifacts view to the wizard layout.

Or is there a possibilty to extract information from an incident using some parsing function or similar and add the information to the artifact table?

Any help or idea is much appreciated!

Thank you very much in advance! 

yes this is possible , create a playbook or a rule which is activated when that filed is not empty / has changed , figure the best condition for you.

then this rule or playbook can call a script that contains : 

addArtifact(type, value, description)

where type should be "IP Address" and value is incident.proprties.affected_host (you custom filed api name)

Hello Experts,

is there any possibility to create artifacts based off fields?

Example:

A new incident is being created with the field "Affected Host" which is an IP address. This IP address should then automatically be added as an artifact to the artifacts table with the right type.

Or is there a possibilty to add artifacts during the "New Incident wizard" already? - i cannot add the artifacts view to the wizard layout.

Or is there a possibilty to extract information from an incident using some parsing function or similar and add the information to the artifact table?

Any help or idea is much appreciated!

Thank you very much in advance!