List of Contributions

Achim Quehenberger

Contact Details

My Content

1 to 20 of 25 total

RE: artifacts as input for functions?

Posted By Achim Quehenberger Wed September 30, 2020 01:58 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi Jasmine, Yes, I solved it because I did the import different. I did not do from resilient_lib import get_file_attachment but did import resilient_lib as res_lib an then in the code res_lib.get_file_attachment(....) For whatever reason this worked then :) Best, Achim ---- ...

RE: emailmessages in the incident tab "Email"

Posted By Achim Quehenberger Tue July 14, 2020 08:16 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi Lurie, Thank you for your reply. But the first answer is not quite right. I mentioned that I created a manuel rule (or Menu Item as it is called in the drop down field for "New Rule"), not an automatic one. And with manual rules you can trigger scripts which handle already existing things. Ok ...

emailmessages in the incident tab "Email"

Posted By Achim Quehenberger Mon July 13, 2020 05:22 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi! I'm trying to write a script based on emails which are already added to an incident. Those emails which are shown in the Email tab in the incident. When create a script with object type "emailmessage" it only tries to find email messages which are still in the inbox... Same for the rule... ...

RE: artifacts as input for functions?

Posted By Achim Quehenberger Wed June 17, 2020 08:42 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Update: Solved! Hm... i installed the package resilient-lib I coded the file like you mentioned above... But I still get the error: NameError: name 'get_file_attachment' is not defined ------------------------------ Achim Quehenberger ------------------------------

RE: artifacts as input for functions?

Posted By Achim Quehenberger Tue June 16, 2020 07:09 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
UPDATE: solved Another question... how do I find out the ID of an artifact? I see the id for incidents on the dashboard. But how do I know what id an artifact has belonging to an incident? ------------------------------ Achim Quehenberger ------------------------------

RE: artifacts as input for functions?

Posted By Achim Quehenberger Tue June 02, 2020 02:42 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello Ben, the import on the integration server is not the issue. The issue is, how to get a malware sample as parameter from the plattform to the integration server where my script will be running which sends the sample then to a remote sandbox. ------------------------------ Achim Quehenberger ...

artifacts as input for functions?

Posted By Achim Quehenberger Thu May 28, 2020 05:46 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi everybody, I'm just writing a pyhton script for forwarding malware samples to a remote sandbox. I have now just one problem. When I want to implement the script on the integration server... how do I get the malware sample from the Resilient plattform to the integration server. The out of the ...

RE: eMail sending from Resilient

Posted By Achim Quehenberger Wed May 06, 2020 09:33 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Apologies, this thread can be closed. I just found in the App Exchange that there is an app for this which was uploaded by 1st of May. https://exchange.xforce.ibmcloud.com/hub/extension/caafba4e4f6d130e7db30ed4d5e53504 Best, Achim ------------------------------ Achim Quehenberger ------ ...

eMail sending from Resilient

Posted By Achim Quehenberger Wed May 06, 2020 08:58 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi! As Resilient is able to send eMails as notification to members of an Incident I wonder if it is possible to use this to send eMails to any eMail address? For example I would like to send a message to a user to reset his password with a standardized eMail template which I could automatically ...

RE: Count artifact types

Posted By Achim Quehenberger Tue April 28, 2020 09:46 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
*facepalm* of course! Thanks! Sometimes I'm too focused on solutions I want that I don't see other possibilities. ------------------------------ Achim Quehenberger ------------------------------

Count artifact types

Posted By Achim Quehenberger Mon April 27, 2020 07:56 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi! I amended the email parsing script in a way that it extracts all the email recipients from the email and adds them as "Email Recipient" artifact. Now I want to do a workflow condition based on the number of recipients. But how can I run through the artifacts? I tried something like this ...

RE: Email Parsing Script - change Incident Type

Posted By Achim Quehenberger Fri April 24, 2020 03:25 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Good morning, Actually incident seems to be defined as I added your proposal incident.incident_type_ids = list(incident.incident_type_ids) + ["Phishing"]​ after that line. And there incident is recognized. This solution worked fine. Thanks for that. But the line you mention above defines a ...

Workflow Logs

Posted By Achim Quehenberger Tue April 21, 2020 04:04 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Good morning. I did a search in google and here in the discussions but dind't exactly find a topic for my problem. I desigend a workflow which actually works when testing. Now I have a real case and the workflow stopps with the message But I have no clue why. All fields for the dependencies ...

RE: Set field values

Posted By Achim Quehenberger Wed April 15, 2020 08:08 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Thank you for the advice. But I already watched some videos and it is sometimes hard to see if that video contains the information I am looking for. Further, it is not very handy if I have to watch videos or search the general docs for scripting topics. I imagine somthing like this: https://do ...

RE: Set field values

Posted By Achim Quehenberger Wed April 15, 2020 05:01 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi Benoit! Thank you for this information. It worked perfectly! You're right. This is not an ootb field but a self created one. Is there any summarized documentation about information like this? I don't want to bother this community with simple questions which could easily be answered by ...

RE: Email Parsing Script - change Incident Type

Posted By Achim Quehenberger Wed April 15, 2020 03:49 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello! Yes it is in this list. "Phishing" ist just an example I have other values for the incident types as example e.g. "UC-001 Phishing Email" I created this incident type and copy pasted it into the script. Did not work. The line from Benoit Rostagni did work! Thanks for that! ---- ...

Set field values

Posted By Achim Quehenberger Tue April 14, 2020 09:46 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello! I'd like to write a script where the fields of a task are filled up automatically. But when I try somthing like this: fields.incident.email_contains_link = u"Yes" I get the error email_contains_link is a readonly attribute on line .... How can I set or amend field values? ...

RE: Email Parsing Script - change Incident Type

Posted By Achim Quehenberger Fri April 10, 2020 11:12 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi! Unfortunatel this didn't work. I added the line incident.incident_type_ids.append("Phishing")​ Just to receive the below error message. But this is something I actually still have an issue with: Is there any overall documentation of the Resilient Python libraries? So like some ...

RE: Email Parsing Script - change Incident Type

Posted By Achim Quehenberger Thu April 02, 2020 06:25 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Thank you very much for the information. I also figured out, that the version of this script I have is 32.2... so this line is not in my current version. I'll update the script accordingly. Thanks, ------------------------------ Achim Quehenberger ------------------------------

RE: Email Parsing Script - Add Email as Attachment

Posted By Achim Quehenberger Thu April 02, 2020 05:37 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
I think I found the issue. Our Resilient organization is managed by our parent company. I have admin rights but the "Roles Tab" is missing so I guess these permissons must be granted by them. Thanks! PS: I am the owner of the incident ------------------------------ Achim Quehenberger - ...