List of Contributions

BENOIT ROSTAGNI

Contact Details

My Content

1 to 20 of 50+ total

RE: Script - Process inbound email

Posted By BENOIT ROSTAGNI Fri February 23, 2024 08:04 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Usually, I have second script with: incident.incident_type_ids = [u'my incident type'] that I run in the email rule, just after the generic email script. ------------------------------ BENOIT ROSTAGNI ------------------------------

RE: Create artifact mapping

Posted By BENOIT ROSTAGNI Mon January 15, 2024 09:45 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Use first line ------------------------------ BENOIT ROSTAGNI ------------------------------

RE: SEP to CP4S integration

Posted By BENOIT ROSTAGNI Thu March 30, 2023 07:14 AM
Found In Egroup: Global Security Forum \ view thread
Hi, going to this path is working on integration automation in the case management (SOAR) of CP4S. 1) you should have a SOAR license associated with CP4S 2) Download the SEP integration from IBM App Exchange https://exchange.xforce.ibmcloud.com/hub/extension/0e21239d8e6823054749d2f51d57c701 ...

Create a generic enrichement playbook, and apply it on TOR enrichment integration

Posted By BENOIT ROSTAGNI Thu April 28, 2022 01:23 PM
Found In Group: IBM Security QRadar SOAR Blogs
The purpose of this blog is to show how, from any integration that does artifact enrichment from the QRadar SOAR App Exchange , we can create a framework that will publish the right information, on the eye of the Analyst. Enrichment can be visible at multiple places: Artifact Properties ...

PLAYBOOK: Create a SLA alert system on incidents

Posted By BENOIT ROSTAGNI Tue March 22, 2022 09:58 AM
Found In Group: IBM Security QRadar SOAR Blogs
Many times, we have been requested a SLA system in QRadar SOAR. There is none OOTB, but I have created a working example that could be a good start to be updated to match your specific needs (speak to 5 customers, they all have 5 different way to calculate and work SLA The solution given here is a self ...

Adding the workflow status to the Playbook Utils integration

Posted By BENOIT ROSTAGNI Fri November 19, 2021 12:26 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi, As anybody has checked or done a procedure to get the Status of Workflows and actions visible in the Playbook Utils Tab ? IBM Security App Exchange - Playbook Utils ------------------------------ BENOIT ROSTAGNI ------------------------------

Playbook design: simulate the Timer properties

Posted By BENOIT ROSTAGNI Wed November 17, 2021 01:11 PM
Found In Group: IBM Security QRadar SOAR Blogs
When developing new Playbooks you may wish to re-user the timer feature that was existing on the Workflow: This feature does not exist (yet ?) on the New Playbook design, but can be easily simulated, with a more precise timing! You need: - The Utility Functions for SOAR application installed on ...

RE: Iterating through an incident artifacts in a playbook

Posted By BENOIT ROSTAGNI Thu November 04, 2021 11:52 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi Pierre, 1) You can install a Resilient circuit on a local linux (centos/redhat) and do all the extract command from there to your cloud base solution. 2) It could be possible to use the new playbook design and run this playbook by automation on artifact, yes. I did not build it there, waiting ...

RE: ActiveMQ Purge

Posted By BENOIT ROSTAGNI Thu November 04, 2021 11:02 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi, We have an internal document to purge these queues. You must open a support ticket to get it. The action after is quick :) Regards ------------------------------ BENOIT ROSTAGNI ------------------------------

RE: LDAP configuration setting in appconfig

Posted By BENOIT ROSTAGNI Thu November 04, 2021 05:19 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi, not an expert on LDAP, and I do not have an AD under my hand. You should open a support ticket to solve this, if you haven't solved it yourself since ------------------------------ BENOIT ROSTAGNI ------------------------------

RE: How to setup an "approval" task in a playbook?

Posted By BENOIT ROSTAGNI Thu November 04, 2021 05:12 AM
Found In Library: IBM Security SOAR

RE: How to setup an "approval" task in a playbook?

Posted By BENOIT ROSTAGNI Thu November 04, 2021 05:12 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
I have created this playbook to set block here all closing task action until the "validation" by a manager is done. The blocking action could be moved to a an authorized_action_actionname select (Yes/No/Unknown) field that is checked before running the action, and reset to Unknown after the action. ...

RE: Resilient Keyring Utility Failing

Posted By BENOIT ROSTAGNI Thu November 04, 2021 05:01 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Not a keyring expert - sorry Potentially open a support ticket ? ------------------------------ BENOIT ROSTAGNI ------------------------------

RE: Iterating through an incident artifacts in a playbook

Posted By BENOIT ROSTAGNI Thu November 04, 2021 05:00 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Let me rephrase your problem (and tell me if I am wrong): You want to verify that all Artifact does not match any Threat Source, and close the Incident after all Threat Source has been checked, if none of them match. To achieve this, I will: Create a Artifact Hit field, either boolean or ...

RE: Iterating through an incident artifacts in a playbook

Posted By BENOIT ROSTAGNI Thu November 04, 2021 04:59 AM
Found In Library: IBM Security SOAR

RE: Bulk deleting incidents in Resilient

Posted By BENOIT ROSTAGNI Thu November 04, 2021 04:31 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Hi, Like Ben, if you wish to get a copy of your prod, with no incident, I suggest you install a new SOAR, same version, and export all the configuration. Administrator > Organization > Export > select all and import the timestamped .res file in your new dev Second solution to is remove the ...

RE: Export Attachments

Posted By BENOIT ROSTAGNI Thu November 04, 2021 04:20 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
If you want to extract attachement, or send attachement by email, or walk all incident in the DB to extract all attachement (could be dangerous with malwares), you could use the AttachementRest endpoint RestAPI call: access by Help /Contact > API Tools to manipulate REST API them using a workflow, ...

RE: How to pass values to fn_components script

Posted By BENOIT ROSTAGNI Thu November 04, 2021 04:06 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Using the RestAPI call from fn_utilities is a good catch by Ben Lurie, that I use when I need just to create a call and get the json results. If there is a need to do additional python work, I use the fn_components. To send functions variable to fn_components, please do, like this example on a "checkpoint" ...

RE: Conditions based on Incident Type

Posted By BENOIT ROSTAGNI Fri October 15, 2021 09:01 AM
Found In Egroup: IBM Security QRadar SOAR \ view thread
Opps! Sorry guys, I was too quick when I answer Thanks Ben :) ------------------------------ BENOIT ROSTAGNI ------------------------------

RE: Fetch Payload as an artifacts from QRadar to IBM SOAR

Posted By BENOIT ROSTAGNI Wed October 13, 2021 05:39 PM
Found In Egroup: IBM Security QRadar SOAR \ view thread
I would not add a payload as an artifact. Payload are usually made with a mix of information. I would add it in a Note, or in a Payload table. to get a payload, use the Seach function from the QRadar function from SOAR creating an Ariel Query that return the payload. in the post process, write a ...