List of Contributions

Aitor Vivanco Santa Cruz

Contact Details

My Content

1 to 20 of 31 total

RE: Parsing from the incident payload table

Posted By Aitor Vivanco Santa Cruz Sat February 15, 2020 05:06 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello AnnMarie, I didn't have planned yet for do the script, because I don't know if there is any possibility for that. The string format can be controlled, yes. "It seems like the '[09' substring is ascii code for TAB and '[0D' is ascii code for CR?" - Yes, thats right. Best regards ----- ...

RE: Parsing from the incident payload table

Posted By Aitor Vivanco Santa Cruz Fri February 14, 2020 09:05 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi AnnMarie, I want to get the results of "Nombre del Grupo" and "Dominio del Grupo" (which are CPA Comercial and Coren, as you see on the payload). And then, put into the fields of incident details. So the python split() could work for that? Thank you ------------------------------ Aitor Vivanco ...

Parsing from the incident payload table

Posted By Aitor Vivanco Santa Cruz Wed February 12, 2020 06:14 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, Im using the workflow "Qradar search for offense ID". I was able to extract the payload with UTF-8(payload) query. Then, i want to parse to extract some information from that payload and put as incident field. For example, the group name and group domain. Are remarked on the photo. Is possible ...

Error generating incident from script with name containing unicode data.

Posted By Aitor Vivanco Santa Cruz Thu February 06, 2020 04:15 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, We have a script that generates new incidents from incoming emails, using as incident name the subject of the email. We have noticed that with some emails, the script fails, and we have seen that it fails when the subject contains some special characters or tildes. For example, ...

Organization should not be of type 'configuration'

Posted By Aitor Vivanco Santa Cruz Thu February 06, 2020 03:40 AM
Found In Egroup: IBM Security QRadar \ view thread
Hello, I just updated my last "IBM Resilient Qradar Integration" app to version 3.4.0. The problem is that some incidents are escalated to the configuration org, and not to the child org. On the "Mapping" configuration im not able to add new child organizations and it tells me that "Organization ...

Invoke note editor with an action

Posted By Aitor Vivanco Santa Cruz Thu January 30, 2020 07:41 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, Im trying to invoke a note editor with an action. For example, when I reply some notes on the incidents, it appears the editor. How can i invoke that with an action (script, workflow....)? Thank you ------------------------------ Aitor Vivanco Sata Cruz ------------------------ ...

Resilient scripting log is empty

Posted By Aitor Vivanco Santa Cruz Tue January 28, 2020 05:02 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, I suppose that scripting errors are written in the log file /var/log/resilient-scripting/resilient-scripting.log When I access into this logs file, my errors are not appearing, it looks like there is a writing error or something. For example, when I try the script on the Resilient ...

Wiki python API

Posted By Aitor Vivanco Santa Cruz Tue January 28, 2020 03:54 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, Does anyone know whats the "API Name" of the "Page Name" of the wiki? Im trying to develop an script, but i need this information. Here is the screenshot: Thank you ------------------------------ Aitor Vivanco Sata Cruz ------------------------------

Rule that creates notes automatically

Posted By Aitor Vivanco Santa Cruz Fri January 24, 2020 03:36 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, Im trying to create a automatic rule which could create a custom note during the incident creation. But I see that something fails. Because when it creates the incident, the notes field is blank. Any suggestions? Thank you ------------------------------ Aitor Vivanco Sata Cruz - ...

Email incident changes on a note

Posted By Aitor Vivanco Santa Cruz Thu January 23, 2020 04:34 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, I'm using the "Email message parsing script". It works fine. But I want to add another functionality. How can I insert the email incident changes into notes? For example: when I got a response of that email, adds more info to artifacts, but I want to see in notes the response. Can be that possible? ...

Not able when adding global rule

Posted By Aitor Vivanco Santa Cruz Mon January 13, 2020 02:51 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, When I want to invite a user (with Sysadmin user or another master administrator user) i can't select him a global role. Just only the organizations and the email. Afterwards, when I want to edit the unvited user, I can't edit either. What's the problem? Thank you: ------------------------------ ...

RE: Phase and Task creations

Posted By Aitor Vivanco Santa Cruz Fri December 20, 2019 08:42 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello Ben, I connected my custom tasks and custome phases with "Cyber: General" rule and it worked perfectly. I copied the same conditions of that rule to my general custom rule, but it doesn't work. Im thinking that the problem could be the name of the rule, but it seems unlogical. --------- ...

Phase and Task creations

Posted By Aitor Vivanco Santa Cruz Thu December 19, 2019 12:33 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, Recently I created new phase with some tasks for the incidents. I created a custom rule of incident type for those new task (phishing, intrusion, malware, DoS, others). And i disabled some rules for not interfere my rule. But when I create a new incident (intrusion system type), it appears ...

Push Configuration anomaly

Posted By Aitor Vivanco Santa Cruz Tue December 17, 2019 03:19 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, I changed some configuration on my Resilient V35, but when I want to try to push the configuration, I see that the push configuration is failed. And now is failing on more than one. What does it means? Any tips for solving that problem? Do I need to update to V35.1? Thank you! ------ ...

Qradar to Resilient escalation error

Posted By Aitor Vivanco Santa Cruz Fri December 13, 2019 07:41 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, Im getting this error in a popup window when I want to scalate the offense with "Escalate to Resilient" button. The problem can be resolved by restarting the API from Qradar. But it comes again…. Any solution? The following client exception occurred while handling the server response: ...

API key accounts and scripts with Resilient API with MSSP functionality

Posted By Aitor Vivanco Santa Cruz Fri December 13, 2019 06:59 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, I Heard about this option: API key accounts are designed to enable external scripts or integrations to authenticate to the Resilient platform through the REST API, with the minimum required permissions. A system-generated token is used to authenticate. API key accounts are not linked to ...

Edit Resilient Wiki

Posted By Aitor Vivanco Santa Cruz Thu December 12, 2019 05:58 AM
Found In Library: IBM Security SOAR

Edit Resilient Wiki

Posted By Aitor Vivanco Santa Cruz Thu December 12, 2019 05:58 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hello, As I can see, the "Resource Library" has two sub-themes: "Privacy" and "Security IR". How can I create sub-themes on the custom appart? Is there any method to upload a document (not by link)? ------------------------------ Aitor Vivanco Sata Cruz ------------------------------

RE: Qradar search from offense ID

Posted By Aitor Vivanco Santa Cruz Wed December 11, 2019 08:43 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Sorry, we were executing more than one query... wasn't taking on account. Here is the whole log. 2019-12-11 13:04:08,961 INFO [actions_component] Event: Channel: functions.qradar_search 2019-12-11 13:04:08,963 DEBUG [client] Received heart-beat 2019-12-11 13:04:09,065 DEBUG [decorators] ...

RE: Qradar search from offense ID

Posted By Aitor Vivanco Santa Cruz Wed December 11, 2019 02:29 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
The query starts with this message, as I can see the param2 on the query and on the error message are not the same. But why? 2019-12-10 11:19:13,915 INFO [qradar_search] qradar_query: SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% MINUTES 2019-12-10 11:19:13,917 INFO [qradar_search] ...