List of Contributions

BENOIT ROSTAGNI

Contact Details

My Content

1 to 20 of 50+ total
Posted By BENOIT ROSTAGNI Jan 15, 2021 5:09 PM
Found In Egroup: IBM Security Resilient
\ view thread
No, security updates does not affect the application, just the system. If you want to take no risk just do a temporary snapshot of the full VM before running the security updates I suggest to security updates every month, even if you do not update the application. ------------------------------ BENOIT ...
Posted By BENOIT ROSTAGNI Jan 15, 2021 5:22 AM
Found In Egroup: IBM Security Resilient
\ view thread
Hi Akhilesh, In addition to Elizabeth Hecht comments: one version at a time 35-36-37-38-39-40... usually my suggestion are to go to the latest service pack of each version. The current "Jyton" will be migrated to Python 2. If you want to have them in Python 3, it is your role to make the necessary ...
Posted By BENOIT ROSTAGNI Jan 14, 2021 4:27 PM
Found In Egroup: IBM Security Resilient
\ view thread
what if the designer makes a workflow to get the confidential data from an email and then modify or remove the workflow? A Master Admin in Resilient has the privilege to do it. If a does it, it will be logged (Workflow creation, adjustment, Rules...). If a run it, he will need an incident. The incident ...
Posted By BENOIT ROSTAGNI Nov 23, 2020 8:41 AM
Found In Egroup: IBM Security Resilient
\ view thread
I found out the reason: the permissions o the OOTB app key are not good enough. you need to change it and add "Edit Incident Fields." ------------------------------ BENOIT ROSTAGNI ------------------------------
Posted By BENOIT ROSTAGNI Nov 23, 2020 2:52 AM
Found In Egroup: IBM Security Resilient
\ view thread
I will note create a incident with 25000 Artifacts, because: 1) this will launch Threat Intelligence for 25000 per Threat - It is not design to support that - there is a limit at 100,000 request per month (see license file) 2) It will launch all your Enrichment 25000 times ==> 25000 x Actions 1+2+3+4+5... ...
Posted By BENOIT ROSTAGNI Nov 23, 2020 2:46 AM
Found In Egroup: IBM Security Resilient
\ view thread
Lets Try: Child Note is sync : Parent note is not Sync. Lets investigate why. The Relation Table is good. The rule to Sync Parent Notes to Child is "Menu Item". It is not an automatic rule ! (I am discovering the app !) Lets run it : Seems good: is good : So just like me the first ...
Posted By BENOIT ROSTAGNI Nov 21, 2020 9:57 AM
Found In Egroup: IBM Security Resilient
\ view thread
Hi Akhilesh, If I understand what you ask for: 1) Artifact (SHA1) is populated by QRadar Ariel Query 2) Artifact (SHA1) is automatically looked up for Threat Intelligence 3) in parallel, enrichment is launched by artifact automation and give other information feed back BEFORE the Threat Intelligence ...
Posted By BENOIT ROSTAGNI Nov 21, 2020 9:41 AM
Found In Egroup: IBM Security Resilient
\ view thread
1. Is it possible to make the user that escalated the incident from an offense owner of the created incident? In QRadar, how is known the user that escalate the offense? can he be reference in a JINJA2 templating syntax. Example: (( offense.id )) I do not think so... so my answer will be ...
Posted By BENOIT ROSTAGNI Nov 21, 2020 9:37 AM
Found In Egroup: IBM Security Resilient
\ view thread
Juste released ! Dowloading it currently from Fix Central ------------------------------ BENOIT ROSTAGNI ------------------------------
Posted By BENOIT ROSTAGNI Nov 21, 2020 9:34 AM
Found In Egroup: IBM Security Resilient
\ view thread
Currently, you can't make visibility segregation based on users or group. There are some RFE on this like this one : https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-255 At this moment, to allow this visibility, you must use the workspace: Create a Workspace "A" Create a Workspace role ...
Posted By BENOIT ROSTAGNI Nov 21, 2020 9:22 AM
Found In Egroup: IBM Security Resilient
\ view thread
Hi Liam, Just tested on v39 thisdict = ( "brand": "Ford", "model": "Mustang", "year": 1964 ) workflow.addProperty("detail", thisdict) do work workflow.addProperty("detail", ("key": [1,2,3])) do not work ------------------------------ BENOIT ROSTAGNI ------------------------------
Posted By BENOIT ROSTAGNI Nov 21, 2020 7:27 AM
Found In Egroup: IBM Security Resilient
\ view thread
Moving from fn_task_utils to app_fn_task_utils , discover that the Create Task does not work any more OOTB. I did multiple tests on multiple Resilient & App Hosts, CP4S & App Host, writing all mandatory fields hard-coded in the Input tab of the Example: Task Utils - Create Custom Task default ...
Posted By BENOIT ROSTAGNI Nov 12, 2020 12:46 PM
Found In Egroup: IBM Security Resilient
\ view thread
I was looking at this since a long time and did not find any reference and documentation on it, so here it is : If you want to access Source and Destination properties of IP artifact, you may use those following options: in new version with python 2 or 3 (v38.2) "the properties are set once ...
Posted By BENOIT ROSTAGNI Nov 12, 2020 10:41 AM
Found In Egroup: IBM Security Resilient
\ view thread
You are making the WF call from a row in a table. So all the workflow knows where you are. At any time, post process or script called by this workflow knows on which row you are. You can just change a value like below: row['remediation_state'] = 'Remediated' incident.addNote("From Ticketing system: the ...
Posted By BENOIT ROSTAGNI Nov 12, 2020 10:29 AM
Found In Egroup: IBM Security Resilient
\ view thread
Just discover it also from Jared message :) Just a pity that it works only in the Attachement tab, on not from the Summary tab ------------------------------ BENOIT ROSTAGNI ------------------------------
Posted By BENOIT ROSTAGNI Nov 12, 2020 10:03 AM
Found In Egroup: IBM Security Resilient
\ view thread
Currently, (v38), you can't filter by artifact type on CTS ------------------------------ BENOIT ROSTAGNI ------------------------------
Posted By BENOIT ROSTAGNI Nov 12, 2020 9:52 AM
Found In Egroup: IBM Security Resilient
\ view thread
Please fin below some responses to your request. Highest rating – store the highest rating recorded for the rating field it is a question of multiple rules and script to do the logic. I have done an example using this TLP (Traffic Light Protocol) template Green > White > Amber > Red. Attached ...
Posted By BENOIT ROSTAGNI Nov 12, 2020 8:50 AM
Found In Egroup: IBM Security Resilient
\ view thread
Best practice: - do not Install Integration server on Resilient Server in production I know it does not solve your problem, but have them both on a single box is not supported in production. I really and strongly suggest you to: - Use App Host (where you will solve Python 2 / Python 3 and dependencies ...
Posted By BENOIT ROSTAGNI Nov 12, 2020 8:34 AM
Found In Egroup: IBM Security Resilient
\ view thread
1) From the original Function (fn_qradar_integration) collects data from a QRadar query and stores values to output and creates a data table, I will have one row for each result like: Cyber_Detection_ID | 8179f649-c73a-4ee0-8710-5c2b856cf86a | Output results to be populated later 2) Another ...
Posted By BENOIT ROSTAGNI Nov 12, 2020 8:23 AM
Found In Egroup: IBM Security Resilient
\ view thread
Hi, The best way to do this is to use the QRadar integration in Resilient you can get from https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4 and follow the training https://www.securitylearningacademy.com/course/view.php?id=5309 to understand how it works. You can create ...