IBM Security QRadar SOAR

 View Only
  • 1.  Add Tags to Artifact via Python

    Posted Mon September 12, 2022 05:33 AM
    Hi

    How do I add new Tags (existent/non existent) to an Artifact through Python?

    Thanks

    ------------------------------
    Lucian Sipos
    ------------------------------


  • 2.  RE: Add Tags to Artifact via Python

    Posted Tue September 13, 2022 02:16 AM
    Hi Lucian,

    You can use "artifact.addTags()" to add tags to an artifact. The "addTags()" function can consume multiple tags at one time and will create the tags if the tags do not exist in the system. For example, the follow snippet will add "Ransomeware" and "ATP41" tags to the artifact.
    artifact.addTags(["Ransomeware", "ATP41"])​

    There are also other related functions, such as "getAllTags", "containsTag", you can find them in this doc
    https://www.ibm.com/docs/en/sqsp/46?topic=scripts-artifact-operations

    Note: these functions are supported starting v43 and only on python3

    Thank you.

    ------------------------------
    Gilbert Liao
    ------------------------------



  • 3.  RE: Add Tags to Artifact via Python

    Posted Tue September 13, 2022 03:51 AM
    Thanks, but my question was about a Python method to do this. I knew that was possible to do this via Scripts, but what about Python?
    Is there any API available?

    Thanks again

    ------------------------------
    Lucian Sipos
    ------------------------------



  • 4.  RE: Add Tags to Artifact via Python

    Posted Thu September 15, 2022 05:27 AM
    Lucian,

    Yes, there are APIs to do this. It usually includes two steps:
    1. create new or get existing tags via TagREST endpoint. For artifact tag the {tagType} should be "data"
    2.  Modify the artifact tags. The tags are associated with the global artifact and you can do it through global level or incident level per your convenience.
       2.1 through the "global artifact" level using ArtifactREST endpoint. You can use the PATCH method to modify the tags.
    For example, this curl will update the artifact's tags from tag id 457 to tag id 337
    curl 'https://{host}/rest/orgs/{org_id}/artifacts/{artifact_id}?return_dto=true' \
    -X 'PATCH' \
    -H 'Content-Type: application/json' \
    -H 'handle_format: ids' \
    -u '{api_key}: {api_secret}' \
    --data-raw '{"changes":[{"field":{"name":"tags"},"old_value":{"objects":[{"tag_handle":457}]},"new_value":{"objects":[{"tag_handle":337}]}}]}' \
    --compressed \
    --insecure

    2.2 Associate tags on the "incident level" via IncidentArtifactREST endpoint with PUT method
    This endpoint takes IncidentArtifactDTO as an input and in IncidentArtifactDTO, the property "global_info" has a "tags" property that allow you to specify which tags should be associated to the artifact.

    These operations will require "Manage Artifacts" permission for a user or "Edit Artifact" permission for API key.
    You can also check how the SOAR UI interact with these APIs by opening browser's debug tools.

    Hope this info help. Thanks.



    ------------------------------
    Gilbert Liao
    ------------------------------