IBM Security QRadar SOAR

 View Only
  • 1.  Add Customized Artifact to Incident with Scripts

    Posted Mon February 26, 2024 11:55 AM
    Edited by Andres Parada Mon February 26, 2024 12:23 PM

    Hi everyone,

    I am working in a playbook that programatically adds artifacts to an incident. When an incident is created, I parse the description and get a list of strings describing ips and urls. I can loop through these and add them as artifacts through the addArtifact() method. My problem is that, according to this documentation, this method seems to accept only type, value and description as input parameters. I would like to specify the IPs as of source or destination types, which I can access through artifact.ip["source"] or artifact.ip["destination"].

    From the same documentation, It seems that the incident methods and fields do not allow me to directly access associated artifacts. If that is the case, what is the best way for me to enrich these ip artifacts with this information?

    Regards, 



    ------------------------------
    Joao Joao Baptista Dias Moreira
    ------------------------------



  • 2.  RE: Add Customized Artifact to Incident with Scripts

    Posted Tue February 27, 2024 03:22 AM
    Edited by Maria Czapkowska Tue February 27, 2024 03:23 AM

    This is a good question and I think it's an issue from IBMs side. When manually adding an artifact of type "IP Address" it asks to mark if it's a source or destination, but it's unclear how to do that when creating an artifact in code. I made a playbook to test it, trying to make an artifact with type "IP Address: Source" throws an error because it can't parse it as Source/Destination are supposed to be boolean values. I suppose you could have one playbook where you add all the artifacts (playbook object incident) and then another (playbook object artifact) that goes through the artifacts and sets the full type artifact.ip.source = True  or have a sub playbook, but in any case that seems rather frustrating to do.

    I would suggest making new artifact types (Customization settings > artifact types) so you have "Source IP" and "Destination IP" types and just use that when creating artifacts. Then when you have an artifact playbook use artifact.type instead of artifact.ip.



    ------------------------------
    Maria Czapkowska
    ------------------------------



  • 3.  RE: Add Customized Artifact to Incident with Scripts
    Best Answer

    Posted Tue February 27, 2024 09:23 AM

    Hi,

    According to this documentation (https://www.ibm.com/docs/en/sqsp/51?topic=scripts-incident-operations), the addArtifact "Returns an artifact script object for further customization.".  So, I think you could do something like this:

    NewArtifact = addArtifact(type, value, description)

    NewArtifact.source = True

    or

    NewArtifact.destination = True

    "source" and "destination" are the names of the boolean fields you need to update.

    HTH



    ------------------------------
    Pierre Dufresne
    ------------------------------



  • 4.  RE: Add Customized Artifact to Incident with Scripts

    Posted Tue February 27, 2024 10:02 AM

    Oh, that's easier, thanks.



    ------------------------------
    Joao Joao Baptista Dias Moreira
    ------------------------------