List of Contributions

AnnMarie Norcross

Contact Details

My Content

1 to 20 of 50+ total
Posted By AnnMarie Norcross Thu January 11, 2024 08:36 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Maria, Just want to check what version of the email parsing script you are using. There was a fix related to defanging in 2.3.1. If you look at the script in the Customization Settings in the Scripts tab is the script language Python 3 and is the script name "Sample script: process inbound ...
Posted By AnnMarie Norcross Wed January 10, 2024 09:22 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Shivam To get the artifacts of an incident you should you the incidentArtifactREST endpoint: POST /orgs/(org_id)/incidents/(inc_id)/artifacts/query_paged If you don't want to filter anything pass () as the JSON body. Let me know if you need more info! ------------------------------ ...
Posted By AnnMarie Norcross Tue January 09, 2024 01:23 PM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Iqra The process inbound assumes that the email is coming directly into the inbound email queue. You would need to make a copy of the script and modify to your own needs. ------------------------------ AnnMarie Norcross ------------------------------
Posted By AnnMarie Norcross Fri January 05, 2024 02:53 PM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Shivam While testing out AbuseIPDB app after reading your post here, I noticed that on the App Exchange the version says 1.0.2 but the version after installation in the App tab it says 1.0.1 due to the setup.py file not being updated when the app was last released a few months ago. However, this ...
Posted By AnnMarie Norcross Fri January 05, 2024 11:00 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
I think you should be testing artifact.type == "URL", not artifact.value ! ------------------------------ AnnMarie Norcross ------------------------------
Posted By AnnMarie Norcross Fri January 05, 2024 10:08 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Iqra I see a few issues with the script you post. You don't need to get the results from content and you do not need to do json.loads as "domains" is a list in the statuses json. I put an incident.addNote after result so you can see the actual results that are passed to the script. I am able ...
Posted By AnnMarie Norcross Thu January 04, 2024 05:13 PM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi again Iqra I am able to run the Cisco Umbrella Investigate app that we have on the App Exchange and can run the "Example: Catagories for a Domain" rule off a DNS artifact and get the associated categories returned (they show up in the Umbrella Investigate - Categories for a domain" data table). ...
Posted By AnnMarie Norcross Thu January 04, 2024 03:44 PM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Iqra, Can you give an example of the input you are trying? Are you running in app host? Can you set loglevel=DEBUG in the app.config, run the function, download the log file and post output from the function? I can see if I can get a trial token to test it. ------------------------------ ...
Posted By AnnMarie Norcross Wed January 03, 2024 10:39 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Dominik Unfortunately custom fields are only available at the incident level and not available for tasks. There is a status field on a task that can be set to Open or Closed. There is also the Phase which can be set to Initial, Engage, Detect/Analyze, Respond, Post-Incident, Custom, Complete. ...
Posted By AnnMarie Norcross Wed January 03, 2024 09:47 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Great! A new fn_rest_api app will be published in early January with the fix for the header that you encountered. Best regards, AnnMarie ------------------------------ AnnMarie Norcross ------------------------------
Posted By AnnMarie Norcross Wed January 03, 2024 08:56 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Iqra, There is a known bug that we has been fixed in fn_rest_api but it has not been released yet. Can you change the header to "Content-Type" to "Content-type" and see if it works ? headers = ( "Content-type": "application/json", "Accept": "application/json" ) ------------------------------ ...
Posted By AnnMarie Norcross Tue January 02, 2024 04:49 PM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Dominik, You can create a custom Select field (similar to Owner) and call it Incident Manager and drag it on to the Details layout page where the Owner is. You can assign the Incident Manager manually or set it automatically in a script. Does this answer your question ? ----------- ...
Posted By AnnMarie Norcross Tue January 02, 2024 04:31 PM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Iqra, The fn_utilities REST API function will be deprecated soon as we have focused development on the REST API app available on the App Exchange here . I would try the new function out and see if you have any issue. ------------------------------ AnnMarie Norcross ------- ...
Posted By AnnMarie Norcross Fri October 27, 2023 04:41 PM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Jasmin The ExecStart line you are trying to use is not correct: ExecStart=/ENV/integration/bin/python /ENV/integration/bin/resilient-circuits run You should use the file location of resilient-circuits in your virtual environment. With the virtual environment activated, type in: which ...
Posted By AnnMarie Norcross Tue July 18, 2023 01:43 PM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Rajesh The 'GAIA Checkpoint Application' is submitted by a third party vendor. You might have more success finding the answer to your question by contacting them directly via the email listed on the App Exchange page for the app: https://exchange.xforce.ibmcloud.com/hub/extension/bf18f ...
Posted By AnnMarie Norcross Fri June 09, 2023 11:51 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Federico The VirusTotal app v1.1.0 is available on the App Exchange here And the content package for creating hits on artifacts from VirusTotal scans is here ------------------------------ AnnMarie Norcross ------------------------------
Posted By AnnMarie Norcross Wed May 03, 2023 10:10 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Federico I am in the process of updating the VirustTotal app from the v2 to v3 of the VT REST API and converting rules workflows from rules/workflows to playbooks. I did see this error while testing recently. However I am changing the logic in the code for checking the results of a scan and do ...
Posted By AnnMarie Norcross Wed April 19, 2023 07:53 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
Hi Chris Can you post the automatic rule conditions in SOAR that kick off the workflow that populates the data table? ------------------------------ AnnMarie Norcross ------------------------------
Posted By AnnMarie Norcross Fri March 17, 2023 09:14 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
What version of Cisco ASA are you using? The app was developed with a 9.14 version of ASAv. I see there was a Cisco bug causing 401 unauthorized to be returned from any REST API around version 9.16 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvy17365 ...
Posted By AnnMarie Norcross Tue February 28, 2023 08:25 AM
Found In Egroup: IBM Security QRadar SOAR
\ view thread
401 is an authorization error and there is WARNING: No certificate file specified. Does the solution discussed in this post help? https://community.cisco.com/t5/network-security/problem-to-access-asdm-gui-401-unauthorized/td-p/2381772 ------------------------------ AnnMarie Norcross ...