IBM Security QRadar SOAR

Greetings

I am new to IBM SOAR and I am trying to run a demo using the Virus Total predefined playbook.

I need to add a condition point that looks into the  vt_scan_results and returns True if 'malicious' is greater than 0 and returns False if ('malicious': 0)

If the result is True I will write the artifact value to a reference set on Qradar else go to the endpoint

The predefined function and scripts are as below:

Function:

------------------------------
Nabil Nehme
------------------------------

Hi Nabil,

It looks like you're really close! I can't tell exactly what would work for you, but I can give you general guidance that hopefully will get you to the proper place.

You'll switch the condition type of your "Condition Point" to be a "Script builder" rather than "Condition builder". From there, the goal is to set the value of a variable results to True in one case, and False in all other cases.

I don't know what part of the results will contain the "malicious" information, but something to the effect of:

There could be more to it obviously.. The key is just to eventually set results

------------------------------
Bo Bleckel
------------------------------

Original Message:
Sent: Mon October 16, 2023 05:24 AM
From: Nabil Nehme
Subject: Adding a condition point within Virus Total Predifined Playbook

Greetings

I am new to IBM SOAR and I am trying to run a demo using the Virus Total predefined playbook.

I need to add a condition point that looks into the  vt_scan_results and returns True if 'malicious' is greater than 0 and returns False if ('malicious': 0)

If the result is True I will write the artifact value to a reference set on Qradar else go to the endpoint

The predefined function and scripts are as below:

Function:

typeLookup = { 'Email Attachment': 'file', 'Malware Sample': 'file', 'Malware MD5 Hash': 'hash', 'Malware SHA-1 Hash': 'hash', 'Malware SHA-256 Hash': 'hash', 'Other File': 'file', 'RCF 822 Email Message File': 'file', 'File Name': 'filename',

 'URL': 'url', 'IP Address': 'ip', 'DNS Name':'domain'}

if artifact.type in typeLookup:

  inputs.vt_type = typeLookup.get(artifact.type, artifact.type)

else:

  inputs.vt_type = artifact.type

inputs.incident_id = incident.id

inputs.artifact_id = artifact.id

inputs.vt_data = artifact.value

Script:

import datetime

import json

VIRUSTOTAL_GUI_URL = "https://www.virustotal.com/gui"

results = playbook.functions.results.vt_scan_results

# Uncomment the following 2 lines to have the results json printed formatted to a note.

#pretty_results = json.dumps(results, indent=4, sort_keys=True)

#incident.addNote(helper.createRichText(u"<p>VirusTotal scan of {0}: {1} with artifact_id: {2}</p><div>{3}</div>".format(artifact.type, artifact.value, artifact.id, pretty_results)))

msg = u"<p>VirusTotal scan of {0}: <b>{1}</b> with artifact_id: {2}</p>".format(artifact.type, artifact.value, artifact.id)

scan = results.get("scan",  {})

if not scan:

  raise Exception("No scan data returned VirusTotal scan {0}: {1} with artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))   

data = scan.get("data", {})

scan_error = scan.get("error", {})

if scan_error:

  msg = "{0}Error returned: {1}".format(msg, scan_error)

  #helper.fail("Error returned from VirusTotal scan {0}: {1}: {2}".format(artifact.type, artifact.value, scan_error))

stats = {}

attributes = {}

if data:

  attributes = data.get("attributes", {})

  if attributes:

    # If this a report the stats are in last_analysis_stats otherwise they are in stats

    stats = attributes.get("last_analysis_stats", {})

    if stats == {}:

    stats = attributes.get("stats", {})

# Write statistics to the note

for k,v in stats.items():

  if k.lower() == "malicious":

    msg = "{0}{1}: <span style='color:red'>{2}</span><br>".format(msg, k, v)

  else:

    msg = "{0}{1}: {2}<br>".format(msg, k, v)

# Write the last analysis time to the note

last_analysis_date = attributes.get("last_analysis_date", None)

if last_analysis_date:

  last_analysis_date_str = datetime.datetime.fromtimestamp(last_analysis_date).strftime('%Y-%b-%d %H:%M:%S')

  msg = "{0}<br>Last analysis date: {1}".format(msg, last_analysis_date_str)

# Add VirusTotal Report link to the note

if data:

  uriLookup = { 'Email Attachment': 'file', 

                'Malware Sample': 'file', 

                'Malware MD5 Hash': 'file', 

                'Malware SHA-1 Hash': 'file', 

                'Malware SHA-256 Hash': 'file', 

                'Other File': 'file',

                'RCF 822 Email Message File': 'file', 

                'File Name': 'file',

                'URL': 'url', 

                'IP Address': 'ip-address', 

                'DNS Name':'domain'}

  uri_fragment = uriLookup.get(artifact.type, None)

  vt_id = data.get("id", None)

  if vt_id and uri_fragment:

    link_back = "<a href='{0}/{1}/{2}'>VirusTotal Report</a>".format(VIRUSTOTAL_GUI_URL, uri_fragment, vt_id)

    msg = "{0}<br>{1}".format(msg, link_back)

  

if not stats:

  msg = "{0}No stats returned from scan {1}: {2} with artifact_id: {3}".format(msg, artifact.type, artifact.value, artifact.id)  

incident.addNote(helper.createRichText("<div>{0}</div>".format(msg)))

# Create artifacts from results

last_http_response_content_sha256 = attributes.get("last_http_response_content_sha256", None)

if last_http_response_content_sha256:

    incident.addArtifact('Malware SHA-256 Hash', last_http_response_content_sha256, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))

sha256 = attributes.get("sha256", None) 

if sha256:

    incident.addArtifact('Malware SHA-256 Hash', sha256, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))

md5 = attributes.get("md5", None)

if md5:

    incident.addArtifact('Malware MD5 Hash', md5, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))

sha1 = attributes.get("sha1", None)

if sha1:

    incident.addArtifact('Malware SHA-1 Hash', sha1, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))

I need to have the below playbook:

Any hints on what could be the first condition script in order to get the IP address written to a reference set 

------------------------------
Nabil Nehme
------------------------------

Just would like to add: if you need to pass data between nodes, for example, if you need to pass the IP Address or the result processed by script node to "Qradar Add Reference Set Item" function, you can use playbook.addProperty(<propertyName>, <propertyValue>)  in script node, and then use playbook.properties.<propertyName> to get the value as function input. 

See more details here: https://www.ibm.com/docs/en/sqsp/50?topic=scripts-playbook-operations

------------------------------
Gilbert Liao
------------------------------

Original Message:
Sent: Mon October 16, 2023 05:24 AM
From: Nabil Nehme
Subject: Adding a condition point within Virus Total Predifined Playbook

Greetings

I am new to IBM SOAR and I am trying to run a demo using the Virus Total predefined playbook.

I need to add a condition point that looks into the  vt_scan_results and returns True if 'malicious' is greater than 0 and returns False if ('malicious': 0)

If the result is True I will write the artifact value to a reference set on Qradar else go to the endpoint

The predefined function and scripts are as below:

Function:

typeLookup = { 'Email Attachment': 'file', 'Malware Sample': 'file', 'Malware MD5 Hash': 'hash', 'Malware SHA-1 Hash': 'hash', 'Malware SHA-256 Hash': 'hash', 'Other File': 'file', 'RCF 822 Email Message File': 'file', 'File Name': 'filename',

 'URL': 'url', 'IP Address': 'ip', 'DNS Name':'domain'}

if artifact.type in typeLookup:

  inputs.vt_type = typeLookup.get(artifact.type, artifact.type)

else:

  inputs.vt_type = artifact.type

inputs.incident_id = incident.id

inputs.artifact_id = artifact.id

inputs.vt_data = artifact.value

Script:

import datetime

import json

VIRUSTOTAL_GUI_URL = "https://www.virustotal.com/gui"

results = playbook.functions.results.vt_scan_results

# Uncomment the following 2 lines to have the results json printed formatted to a note.

#pretty_results = json.dumps(results, indent=4, sort_keys=True)

#incident.addNote(helper.createRichText(u"<p>VirusTotal scan of {0}: {1} with artifact_id: {2}</p><div>{3}</div>".format(artifact.type, artifact.value, artifact.id, pretty_results)))

msg = u"<p>VirusTotal scan of {0}: <b>{1}</b> with artifact_id: {2}</p>".format(artifact.type, artifact.value, artifact.id)

scan = results.get("scan",  {})

if not scan:

  raise Exception("No scan data returned VirusTotal scan {0}: {1} with artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))   

data = scan.get("data", {})

scan_error = scan.get("error", {})

if scan_error:

  msg = "{0}Error returned: {1}".format(msg, scan_error)

  #helper.fail("Error returned from VirusTotal scan {0}: {1}: {2}".format(artifact.type, artifact.value, scan_error))

stats = {}

attributes = {}

if data:

  attributes = data.get("attributes", {})

  if attributes:

    # If this a report the stats are in last_analysis_stats otherwise they are in stats

    stats = attributes.get("last_analysis_stats", {})

    if stats == {}:

    stats = attributes.get("stats", {})

# Write statistics to the note

for k,v in stats.items():

  if k.lower() == "malicious":

    msg = "{0}{1}: <span style='color:red'>{2}</span><br>".format(msg, k, v)

  else:

    msg = "{0}{1}: {2}<br>".format(msg, k, v)

# Write the last analysis time to the note

last_analysis_date = attributes.get("last_analysis_date", None)

if last_analysis_date:

  last_analysis_date_str = datetime.datetime.fromtimestamp(last_analysis_date).strftime('%Y-%b-%d %H:%M:%S')

  msg = "{0}<br>Last analysis date: {1}".format(msg, last_analysis_date_str)

# Add VirusTotal Report link to the note

if data:

  uriLookup = { 'Email Attachment': 'file', 

                'Malware Sample': 'file', 

                'Malware MD5 Hash': 'file', 

                'Malware SHA-1 Hash': 'file', 

                'Malware SHA-256 Hash': 'file', 

                'Other File': 'file',

                'RCF 822 Email Message File': 'file', 

                'File Name': 'file',

                'URL': 'url', 

                'IP Address': 'ip-address', 

                'DNS Name':'domain'}

  uri_fragment = uriLookup.get(artifact.type, None)

  vt_id = data.get("id", None)

  if vt_id and uri_fragment:

    link_back = "<a href='{0}/{1}/{2}'>VirusTotal Report</a>".format(VIRUSTOTAL_GUI_URL, uri_fragment, vt_id)

    msg = "{0}<br>{1}".format(msg, link_back)

  

if not stats:

  msg = "{0}No stats returned from scan {1}: {2} with artifact_id: {3}".format(msg, artifact.type, artifact.value, artifact.id)  

incident.addNote(helper.createRichText("<div>{0}</div>".format(msg)))

# Create artifacts from results

last_http_response_content_sha256 = attributes.get("last_http_response_content_sha256", None)

if last_http_response_content_sha256:

    incident.addArtifact('Malware SHA-256 Hash', last_http_response_content_sha256, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))

sha256 = attributes.get("sha256", None) 

if sha256:

    incident.addArtifact('Malware SHA-256 Hash', sha256, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))

md5 = attributes.get("md5", None)

if md5:

    incident.addArtifact('Malware MD5 Hash', md5, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))

sha1 = attributes.get("sha1", None)

if sha1:

    incident.addArtifact('Malware SHA-1 Hash', sha1, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))

I need to have the below playbook:

Any hints on what could be the first condition script in order to get the IP address written to a reference set 

------------------------------
Nabil Nehme
------------------------------