IBM Security QRadar SOAR

I have a text file called block_ip_list.txt on a Linux system.  The file is used by the firewall as the block list.  I am trying to use SOAR to automate this process.
Like to see if anyone had done this already and share some ideas.

Here is what I planning to do.  Looking for some feedback and suggestion if I am on the right track and if there is a better way.

1) Create a script to add IP address that take parameter as the input.   For example add_ip.sh {ip address1}
2) Use the "Network Utilities: Linux Shell Command" function to create a playbook 

I am sure there are other details I need to consider.  E.g. how do I validated if the result.  In addition, it will be nice if I can check if the IP address is already on the list or not. 

Hey Raymond,

I actually have this working in my lab environment, though your idea expands on it a little bit. This is what I did.

To echo the IP into a file you would have to do something like below of course replacing with your file's path. This would go into your app.config:

echo = (echo {{shell_param1}} >> /home/envadmin/.firewall/blocklist.txt)

From there because of wanting to check your file for the existence of that IP you might also need to add another command like the one I created below:

cat = (cat /home/envadmin/.firewall/blocklist.txt)

Note: For both of these commands you could make the file location a {{shell_param}}, but then you would need to provide that in the playbook below.

That would give you the ability both read and write to the blocklist file. From there you would then need to build out a playbook. This would be done using the following method.

1. Create a playbook naming it whatever you want (Add to Content Filter is my playbook name) and set it to activate either manually or automatically on whatever conditions and object type you want.
2. Then add the Network Utilities: Linux Shell Command function to the canvas.
   • Add the shell command to your fields: echo:remote_computer (remote computer being the computer I have added to the app.config)
   • Add the shell params to your fields: artifact.value (or wherever you are getting your IP address from
   • Give your Output a name.
3. From there you can end your playbook, HOWEVER...

This will give you the ability to write the IP to the file. Now since you included the other things you would like the system to check for, you can expand that playbook by first running the cat command by putting another Network Utilities: Linux Shell Command function to the canvas before your Echo one we just created. To get that command working we would then do the following.

1. Setup your new node to work with the cat command we created above.
   • Add the shell command to your fields: cat:remote_computer (remote computer being the computer I have added to the app.config)
   • Give your Output a name.
2. Add a Condition Point decision point to the canvas right after the cat command node.
   • Name the condition point something like IP Exists in File?
   • Create a condition and name the condition Yes
   • Go into the script builder and parse out the output of the of the cat node to check if the IP already exists and if it does set result to True otherwise set it to False.
3. Connect your echo node to the else path.
4. Add another Network Utilities: Linux Shell Command function to the canvas this time after the echo command.
   • Add the shell command to your fields: cat:remote_computer (remote computer being the computer I have added to the app.config)
   • Give your Output another name.

From here it is up to you on how you do this, you could right a script that check to see if the IP existed initially and then do something like tagging an artifact or posting a note that it already existed. If it didn't already exist then you can check the output of the second cat command to verify that the IP does exist now. Again if it does exist then you tag it as blocked or post a note stating it was blocked. You could also do another decision point and just do 2 different scripts one that tags it as blocked or posts a note, and the other one that posts a note that says it failed to add to the block list. Just remember to link your Yes condition point to the script you want at the end before finishing your playbook. I have posted a picture of how this could look on the canvas below.

Keep in mind this is one way to do it. You could also write a script that does all of this on the remote computer and then your command just runs that script as well, many options here! I hope this helps though.

------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security

Original Message:
Sent: Tue June 11, 2024 12:52 PM
From: Raymond Tam
Subject: Use the network utility app to add IP address from a text file on Linux system

I have a text file called block_ip_list.txt on a Linux system.  The file is used by the firewall as the block list.  I am trying to use SOAR to automate this process.
Like to see if anyone had done this already and share some ideas.

Here is what I planning to do.  Looking for some feedback and suggestion if I am on the right track and if there is a better way.

1) Create a script to add IP address that take parameter as the input.   For example add_ip.sh {ip address1}
2) Use the "Network Utilities: Linux Shell Command" function to create a playbook 

I am sure there are other details I need to consider.  E.g. how do I validated if the result.  In addition, it will be nice if I can check if the IP address is already on the list or not. 

------------------------------
Raymond Tam
------------------------------

Hi Nick,

Thanks for the detail explanation.  I was able to get this to work including the validation to check if IP is exist or not.

I got stuck on how to pass the the 2nd parameter under the "Network Utilities: Linux Shell Command" function.  How do I specific more than one params?

I tried to add the incident.id but got syntax error.  What is the popper way to add the 2nd parameter? 

inputs.network_utilities_shell_params = artifact.value,incident.id
inputs.network_utilities_shell_command = "remote_command_add_block_ip:remote_linux01"

This is the command I am planning to use.

echo -e "{{shell_param1}}\t\t# Comment $(date +'%m/%d/%Y %H:%M')"\t incident {{shell_param2}}>> /home/soar/blockiplist.txt

------------------------------
Raymond Tam

Original Message:
Sent: Wed June 12, 2024 11:44 AM
From: Nick Mumaw
Subject: Use the network utility app to add IP address from a text file on Linux system

Hey Raymond,

I actually have this working in my lab environment, though your idea expands on it a little bit. This is what I did.

To echo the IP into a file you would have to do something like below of course replacing with your file's path. This would go into your app.config:

echo = (echo {{shell_param1}} >> /home/envadmin/.firewall/blocklist.txt)

From there because of wanting to check your file for the existence of that IP you might also need to add another command like the one I created below:

cat = (cat /home/envadmin/.firewall/blocklist.txt)

Note: For both of these commands you could make the file location a {{shell_param}}, but then you would need to provide that in the playbook below.

That would give you the ability both read and write to the blocklist file. From there you would then need to build out a playbook. This would be done using the following method.

1. Create a playbook naming it whatever you want (Add to Content Filter is my playbook name) and set it to activate either manually or automatically on whatever conditions and object type you want.
2. Then add the Network Utilities: Linux Shell Command function to the canvas.
   • Add the shell command to your fields: echo:remote_computer (remote computer being the computer I have added to the app.config)
   • Add the shell params to your fields: artifact.value (or wherever you are getting your IP address from
   • Give your Output a name.
3. From there you can end your playbook, HOWEVER...

This will give you the ability to write the IP to the file. Now since you included the other things you would like the system to check for, you can expand that playbook by first running the cat command by putting another Network Utilities: Linux Shell Command function to the canvas before your Echo one we just created. To get that command working we would then do the following.

1. Setup your new node to work with the cat command we created above.
   • Add the shell command to your fields: cat:remote_computer (remote computer being the computer I have added to the app.config)
   • Give your Output a name.
2. Add a Condition Point decision point to the canvas right after the cat command node.
   • Name the condition point something like IP Exists in File?
   • Create a condition and name the condition Yes
   • Go into the script builder and parse out the output of the of the cat node to check if the IP already exists and if it does set result to True otherwise set it to False.
3. Connect your echo node to the else path.
4. Add another Network Utilities: Linux Shell Command function to the canvas this time after the echo command.
   • Add the shell command to your fields: cat:remote_computer (remote computer being the computer I have added to the app.config)
   • Give your Output another name.

From here it is up to you on how you do this, you could right a script that check to see if the IP existed initially and then do something like tagging an artifact or posting a note that it already existed. If it didn't already exist then you can check the output of the second cat command to verify that the IP does exist now. Again if it does exist then you tag it as blocked or post a note stating it was blocked. You could also do another decision point and just do 2 different scripts one that tags it as blocked or posts a note, and the other one that posts a note that says it failed to add to the block list. Just remember to link your Yes condition point to the script you want at the end before finishing your playbook. I have posted a picture of how this could look on the canvas below.

Keep in mind this is one way to do it. You could also write a script that does all of this on the remote computer and then your command just runs that script as well, many options here! I hope this helps though.

------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security

Original Message:
Sent: Tue June 11, 2024 12:52 PM
From: Raymond Tam
Subject: Use the network utility app to add IP address from a text file on Linux system

I have a text file called block_ip_list.txt on a Linux system.  The file is used by the firewall as the block list.  I am trying to use SOAR to automate this process.
Like to see if anyone had done this already and share some ideas.

Here is what I planning to do.  Looking for some feedback and suggestion if I am on the right track and if there is a better way.

1) Create a script to add IP address that take parameter as the input.   For example add_ip.sh {ip address1}
2) Use the "Network Utilities: Linux Shell Command" function to create a playbook 

I am sure there are other details I need to consider.  E.g. how do I validated if the result.  In addition, it will be nice if I can check if the IP address is already on the list or not. 

------------------------------
Raymond Tam
------------------------------

I haven't used this app...but it looks line network_utilities_shell_params is a text string param.

I would try this

inputs.network_utilities_shell_params = f"{artifact.value},{incident.id}"

Hi Nick,

Thanks for the detail explanation.  I was able to get this to work including the validation to check if IP is exist or not.

I got stuck on how to pass the the 2nd parameter under the "Network Utilities: Linux Shell Command" function.  How do I specific more than one params?

I tried to add the incident.id but got syntax error.  What is the popper way to add the 2nd parameter? 

inputs.network_utilities_shell_params = artifact.value,incident.id
inputs.network_utilities_shell_command = "remote_command_add_block_ip:remote_linux01"

This is the command I am planning to use.

echo -e "{{shell_param1}}\t\t# Comment $(date +'%m/%d/%Y %H:%M')"\t incident {{shell_param2}}>> /home/soar/blockiplist.txt

------------------------------
Raymond Tam

Original Message:
Sent: Wed June 12, 2024 11:44 AM
From: Nick Mumaw
Subject: Use the network utility app to add IP address from a text file on Linux system

Hey Raymond,

I actually have this working in my lab environment, though your idea expands on it a little bit. This is what I did.

To echo the IP into a file you would have to do something like below of course replacing with your file's path. This would go into your app.config:

echo = (echo {{shell_param1}} >> /home/envadmin/.firewall/blocklist.txt)

From there because of wanting to check your file for the existence of that IP you might also need to add another command like the one I created below:

cat = (cat /home/envadmin/.firewall/blocklist.txt)

Note: For both of these commands you could make the file location a {{shell_param}}, but then you would need to provide that in the playbook below.

That would give you the ability both read and write to the blocklist file. From there you would then need to build out a playbook. This would be done using the following method.

1. Create a playbook naming it whatever you want (Add to Content Filter is my playbook name) and set it to activate either manually or automatically on whatever conditions and object type you want.
2. Then add the Network Utilities: Linux Shell Command function to the canvas.
   • Add the shell command to your fields: echo:remote_computer (remote computer being the computer I have added to the app.config)
   • Add the shell params to your fields: artifact.value (or wherever you are getting your IP address from
   • Give your Output a name.
3. From there you can end your playbook, HOWEVER...

This will give you the ability to write the IP to the file. Now since you included the other things you would like the system to check for, you can expand that playbook by first running the cat command by putting another Network Utilities: Linux Shell Command function to the canvas before your Echo one we just created. To get that command working we would then do the following.

1. Setup your new node to work with the cat command we created above.
   • Add the shell command to your fields: cat:remote_computer (remote computer being the computer I have added to the app.config)
   • Give your Output a name.
2. Add a Condition Point decision point to the canvas right after the cat command node.
   • Name the condition point something like IP Exists in File?
   • Create a condition and name the condition Yes
   • Go into the script builder and parse out the output of the of the cat node to check if the IP already exists and if it does set result to True otherwise set it to False.
3. Connect your echo node to the else path.
4. Add another Network Utilities: Linux Shell Command function to the canvas this time after the echo command.
   • Add the shell command to your fields: cat:remote_computer (remote computer being the computer I have added to the app.config)
   • Give your Output another name.

From here it is up to you on how you do this, you could right a script that check to see if the IP existed initially and then do something like tagging an artifact or posting a note that it already existed. If it didn't already exist then you can check the output of the second cat command to verify that the IP does exist now. Again if it does exist then you tag it as blocked or post a note stating it was blocked. You could also do another decision point and just do 2 different scripts one that tags it as blocked or posts a note, and the other one that posts a note that says it failed to add to the block list. Just remember to link your Yes condition point to the script you want at the end before finishing your playbook. I have posted a picture of how this could look on the canvas below.

Keep in mind this is one way to do it. You could also write a script that does all of this on the remote computer and then your command just runs that script as well, many options here! I hope this helps though.

------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security

Original Message:
Sent: Tue June 11, 2024 12:52 PM
From: Raymond Tam
Subject: Use the network utility app to add IP address from a text file on Linux system

I have a text file called block_ip_list.txt on a Linux system.  The file is used by the firewall as the block list.  I am trying to use SOAR to automate this process.
Like to see if anyone had done this already and share some ideas.

Here is what I planning to do.  Looking for some feedback and suggestion if I am on the right track and if there is a better way.

1) Create a script to add IP address that take parameter as the input.   For example add_ip.sh {ip address1}
2) Use the "Network Utilities: Linux Shell Command" function to create a playbook 

I am sure there are other details I need to consider.  E.g. how do I validated if the result.  In addition, it will be nice if I can check if the IP address is already on the list or not. 

------------------------------
Raymond Tam
------------------------------

I haven't used this app...but it looks line network_utilities_shell_params is a text string param.

I would try this

inputs.network_utilities_shell_params = f"{artifact.value},{incident.id}"

Hi Nick,

Thanks for the detail explanation.  I was able to get this to work including the validation to check if IP is exist or not.

I got stuck on how to pass the the 2nd parameter under the "Network Utilities: Linux Shell Command" function.  How do I specific more than one params?

I tried to add the incident.id but got syntax error.  What is the popper way to add the 2nd parameter? 

inputs.network_utilities_shell_params = artifact.value,incident.id
inputs.network_utilities_shell_command = "remote_command_add_block_ip:remote_linux01"

This is the command I am planning to use.

echo -e "{{shell_param1}}\t\t# Comment $(date +'%m/%d/%Y %H:%M')"\t incident {{shell_param2}}>> /home/soar/blockiplist.txt

------------------------------
Raymond Tam

Original Message:
Sent: Wed June 12, 2024 11:44 AM
From: Nick Mumaw
Subject: Use the network utility app to add IP address from a text file on Linux system

Hey Raymond,

I actually have this working in my lab environment, though your idea expands on it a little bit. This is what I did.

To echo the IP into a file you would have to do something like below of course replacing with your file's path. This would go into your app.config:

echo = (echo {{shell_param1}} >> /home/envadmin/.firewall/blocklist.txt)

From there because of wanting to check your file for the existence of that IP you might also need to add another command like the one I created below:

cat = (cat /home/envadmin/.firewall/blocklist.txt)

Note: For both of these commands you could make the file location a {{shell_param}}, but then you would need to provide that in the playbook below.

That would give you the ability both read and write to the blocklist file. From there you would then need to build out a playbook. This would be done using the following method.

1. Create a playbook naming it whatever you want (Add to Content Filter is my playbook name) and set it to activate either manually or automatically on whatever conditions and object type you want.
2. Then add the Network Utilities: Linux Shell Command function to the canvas.
   • Add the shell command to your fields: echo:remote_computer (remote computer being the computer I have added to the app.config)
   • Add the shell params to your fields: artifact.value (or wherever you are getting your IP address from
   • Give your Output a name.
3. From there you can end your playbook, HOWEVER...

This will give you the ability to write the IP to the file. Now since you included the other things you would like the system to check for, you can expand that playbook by first running the cat command by putting another Network Utilities: Linux Shell Command function to the canvas before your Echo one we just created. To get that command working we would then do the following.

1. Setup your new node to work with the cat command we created above.
   • Add the shell command to your fields: cat:remote_computer (remote computer being the computer I have added to the app.config)
   • Give your Output a name.
2. Add a Condition Point decision point to the canvas right after the cat command node.
   • Name the condition point something like IP Exists in File?
   • Create a condition and name the condition Yes
   • Go into the script builder and parse out the output of the of the cat node to check if the IP already exists and if it does set result to True otherwise set it to False.
3. Connect your echo node to the else path.
4. Add another Network Utilities: Linux Shell Command function to the canvas this time after the echo command.
   • Add the shell command to your fields: cat:remote_computer (remote computer being the computer I have added to the app.config)
   • Give your Output another name.

From here it is up to you on how you do this, you could right a script that check to see if the IP existed initially and then do something like tagging an artifact or posting a note that it already existed. If it didn't already exist then you can check the output of the second cat command to verify that the IP does exist now. Again if it does exist then you tag it as blocked or post a note stating it was blocked. You could also do another decision point and just do 2 different scripts one that tags it as blocked or posts a note, and the other one that posts a note that says it failed to add to the block list. Just remember to link your Yes condition point to the script you want at the end before finishing your playbook. I have posted a picture of how this could look on the canvas below.

Keep in mind this is one way to do it. You could also write a script that does all of this on the remote computer and then your command just runs that script as well, many options here! I hope this helps though.

------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security

Original Message:
Sent: Tue June 11, 2024 12:52 PM
From: Raymond Tam
Subject: Use the network utility app to add IP address from a text file on Linux system

I have a text file called block_ip_list.txt on a Linux system.  The file is used by the firewall as the block list.  I am trying to use SOAR to automate this process.
Like to see if anyone had done this already and share some ideas.

Here is what I planning to do.  Looking for some feedback and suggestion if I am on the right track and if there is a better way.

1) Create a script to add IP address that take parameter as the input.   For example add_ip.sh {ip address1}
2) Use the "Network Utilities: Linux Shell Command" function to create a playbook 

I am sure there are other details I need to consider.  E.g. how do I validated if the result.  In addition, it will be nice if I can check if the IP address is already on the list or not. 

------------------------------
Raymond Tam
------------------------------