IBM Security QRadar SOAR

 View Only
  • 1.  Creating Custom artifact type

    Posted 20 days ago
    To IBM SOAR community,

    Hi all, I am currently creating a playbook that triggers upon creating of artifact, and will do a bulk action. From what I know, if I want to filter the artifact that is processed inside the playbook, you would create a rule/condition similar to the one shown below.


    However, my current problem is that using the available artifact type filtering will introduce conflict with other existing playbook. Is there a way to avoid this from happening, my current idea is to either:

    - Create a new custom type artifact type that exist for that one playbook
    - Create a second filter in the playbook to further separate the artifact processed ( Tried in other playbook using the  but not really successful)
    - Separate the playbook in a isolated container?

    Though I am not sure if the idea listed is really possible to implement. Have anyone have any idea on how to approach this problem. Thanks


    Best regards,



    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------


  • 2.  RE: Creating Custom artifact type

    Posted 17 days ago

    I have found an alternative to creating new artifact type by using different rule triggered by file name regex.


    The problem is that the playbook does not even trigger when the name matches. Currently I have setup the rule with the additional workflow created.


    Is there any additional steps that I need to apply to get it working. Also is there an options to add regex in the condition.

    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------



  • 3.  RE: Creating Custom artifact type

    Posted 16 days ago
    It should work. Please make sure the object type is artifact. In your screen capture, it's attachment.

    ------------------------------
    Leo Kuo
    ------------------------------



  • 4.  RE: Creating Custom artifact type

    Posted 11 days ago
    Hi @Leo Kuo,

    Thanks for the reply, the reason I make it as attachment because my intended workflow is that when an attachment is of similar name (i.e. something ) it will generate a different kind of artifact using the function IOC parser.

    Currently I have two version of the rule, where one is automatic that you commented on above and another is a menu item. Both of the rules is pointed towards the same workflow which contains the IOC parser v2 function. My understanding is that once you setup the rule and the workflow that contains the function, it should work but currently even the menu item rule does not return any output.

    Is there any other setup that I missed in creating this automation, for example reloading the function in the server. My current workaround is editing the default workflow to include my use-case (different artifact type).


    Below are the menu item rule triggering the same workflow:

    ​Below are the workflow the rule pointing at (using the function IOC parser v2):

    Best regards,

    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------



  • 5.  RE: Creating Custom artifact type

    Posted 11 days ago
    Given you've tested with a menu item, so I assume the workflow should be triggered successfully, just the function didn't get anything back to your system. I'd suggest you can check your workflow status. It could provide your some debug information why your function didn't return with expected result. Please see the instruction here https://www.ibm.com/docs/en/sqsp/47?topic=incidents-workflows

    You may also check if the rule triggered successfully by adding a simply task. 
    I did a test on my system that an "attachment test task" will be added to the task list, so I know my system's rule engine works as expected. 


    ------------------------------
    Leo Kuo
    ------------------------------



  • 6.  RE: Creating Custom artifact type

    Posted 11 days ago
    Hi Lee Kuo,

    Thanks for the guide and prompt reply,

    I have checked the workflow status and managed to discover the solution by checking the error status. It is related with the dictionary mapping of my function, I would not discover it without the status checking.

    Best Regards,

    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------