List of Contributions

Jared Fagel

ALLETE Inc.

Contact Details

ALLETE Inc.

My Content

1 to 20 of 50+ total

Max Size of Text Area Field

Posted By Jared Fagel Tue January 30, 2024 06:39 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Does anyone know what the maximum size (bytes/characters) of a text area field in SOAR can be? I hunted through documentation and couldn't find an answer. I stopped short of finding it out manually. I'm planning to implement a control in some of our functions and scripts to ensure that (rich) text ...

RE: How to use the logging functions in playbooks

Posted By Jared Fagel Thu January 18, 2024 10:50 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Good question. This is kind of a gap. Scripting don't have this capability. You can return with custom errors via: helper.fail("Message") You could also write to an incident field as a workaround. It is possible to create a logger field, and append to it as execution occurs. ...

RE: How to use SOAR functions for Outbound Email App

Posted By Jared Fagel Tue August 01, 2023 02:04 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
For required fields, you'll just use the inputs. in a pre-processor of the function on the workflow/playbook. We typically have our actions automatically fill those inputs out using incident fields and activity fields from an input field presented to the analyst (rule.properties. ) This GUI ...

RE: Reopen Incident

Posted By Jared Fagel Tue August 01, 2023 01:59 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
You can remove a role's ability to change the status of an incident, but that would include closing of the incident. You *might* be able to use an automatic rule of some kind to make closing work (based on a field change, for example), as I believe that follows system permissions and not the user's. ...

RE: WinCollect Version Compatibility

Posted By Jared Fagel Tue August 01, 2023 01:50 PM
Found In Egroup: IBM Security QRadar \ view thread
Speaking from experience, you will still get logs after updating the appliance, yes. Management will be an issue as you pointed out. Management features will not work (ability to configure WinCollect log sources, including new ones, from QRadar); Existing APARs, CVEs. My recommendation ...

RE: Windows Logs through Azure Event hub

Posted By Jared Fagel Tue August 01, 2023 01:46 PM
Found In Egroup: IBM Security QRadar \ view thread
I've not tried this myself, but in theory you can do this. You could create a gateway log source for the event hub, and probably have a dedicated event hub for this purpose (windows events), and then for everything that comes from the event hub, you'd set their log source identifier to whatever your ...

RE: HTML Tables in RichText Incident Notes

Posted By Jared Fagel Thu April 21, 2022 03:23 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
This is not possible. See the idea for this created a while ago here: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-55 In the mean time, you'll be stuck using the SOAR tables. ------------------------------ Jared Fagel Cyber Security Analyst ALLETE Inc. --------------- ...

RE: inbound emails missing occasionally

Posted By Jared Fagel Thu April 21, 2022 03:02 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
We do not. ------------------------------ Jared Fagel Cyber Security Analyst ALLETE Inc. ------------------------------

RE: inbound emails missing occasionally

Posted By Jared Fagel Thu April 21, 2022 02:38 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
We've noticed this too (very occasional missing inbound emails). Its been too difficult to reproduce to be useful for IBM Support. ------------------------------ Jared Fagel Cyber Security Analyst ALLETE Inc. ------------------------------

RE: How to add a table to a wiki page?

Posted By Jared Fagel Tue February 15, 2022 01:56 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
There is an idea in the Aha portal for better rich-text HTML Support (including HTML tables): https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-55 ------------------------------ Jared Fagel Cyber Security Analyst ALLETE Inc. ------------------------------

RE: Add Attachment in Resilient thru API call

Posted By Jared Fagel Thu December 09, 2021 10:24 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Have you looked at the Interactive Rest API from SOAR? That's a good starting point. https://YOUR_INSTANCE.resilientsystems.com/docs/rest-api/ui/index.html#/IncidentAttachmentREST If using the Python SDK: rest_client().post_attachment('/incidents/(0)/attachments'.format(incident_id), ...

RE: Using EmailMessage object

Posted By Jared Fagel Tue October 12, 2021 06:05 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
This took me longer to realize than I wish to admit, but even though it's a .txt when downloaded, it's really an email file (.eml). This was brought to the SOAR team a couple years ago as part of the idea to have emails be attached to incidents, but they chose not to deliver the .eml download portion ...

RE: Automatic notification case

Posted By Jared Fagel Tue October 12, 2021 05:53 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
It's be a bit messy, but you could run a workflow on every created task you want this to occur on (no conditions), and then have a custom function in that workflow that loops indefinitely checking the task status (and incident status), then return when that 15 minutes is up. On the return you'd have ...

RE: How to set the parameters of the QRadar Search function in a playbook script

Posted By Jared Fagel Tue October 12, 2021 05:43 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
I agree that the function is confusing. I ended up ripping it apart and remaking it. I created an issue on the SOAR GitHub about this, hoping they'll consider making similar changes to what I did. Feel free to reference my code. Reference: https://github.com/ibmresilient/resilient-community-apps/issues/52 ...

RE: Interacting with related incidents in Resilient/SOAR

Posted By Jared Fagel Fri September 24, 2021 06:03 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
I have an idea in the Aha idea portal here to improve the query_builder method available within in-product scripting. Feel free to +1 the idea. I believe that method would be an excellent spot for related incidents to be queryable. I'll add a comment for that. https://2e4ccba981d63ef83a875dad7 ...

RE: Update Proposal: QRadar's Resilient App

Posted By Jared Fagel Mon September 20, 2021 09:59 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
I wanted to poke this old thread as the change I noted was made, but something that has still stood the test of time is the use of hardcoded action names ("qradar_action_fields" in resilient_helpers.py). It would be ideal if the action names could be renamed by end users, and rather than referencing ...

RE: Export only rule or secif workflow from SOAR

Posted By Jared Fagel Tue August 31, 2021 10:30 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, There is an idea for this in the SOAR Aha Idea Portal: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-82 If you want to get technical, the organization export is just JSON, it can be cleaned to include only the parts you wish to export, but this is not easy, especially if ...

'Incidents' View Redesign

Posted By Jared Fagel Mon August 30, 2021 11:29 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
This morning our SOC got into SOAR and noticed the new incidents redesign. While it does continue to match the design changes, I wanted to bring up that it is much less friendly in our real-world instance. Some of our view presets must now be scrolled from left to right, and it's difficult to read any ...

RE: Image Attachment Viewer

Posted By Jared Fagel Wed August 18, 2021 11:39 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
I generally disagree with this. If simply previewing EML files was risky, email would not be in wide-use today. We are performing EML parsing of all our phishing reports via a custom function and presenting the body in a field to assist with reviewing them -- I'd argue this is one of the more popular ...

RE: fn_relation failure in AppHost 1.6

Posted By Jared Fagel Wed August 18, 2021 11:32 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hey @BENOIT ROSTAGNI, I think you may have accidentally @ 'ed me on that one. I'm not sure what this relates to. Our org has yet to shift to the new App Host architecture.​​​​ ------------------------------ Jared Fagel Cyber Security Analyst I Public Utility ------------------------------