IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  clone playbook with activation form

    Posted Mon October 24, 2022 04:26 AM
    I failed to copy those playbooks which have activation form. Is it a bug or not implemented yet?
    My soar versions are as follows:
       soar: 46.2
       resilient-sdk: 46.0.3461
    # resilient-sdk clone -pb playbook01 clone_playbook01
      :
    Traceback (most recent call last):
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient/co3.py", line 745, in put
        response = super(SimpleClient, self).put(uri, payload, co3_context_token, timeout)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient/co3base.py", line 634, in put
        BasicHTTPException.raise_if_error(response)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient/co3base.py", line 80, in raise_if_error
        raise BasicHTTPException(response)
    resilient.co3base.BasicHTTPException: 'resilient' API Request FAILED:
    Response Code: 400
    Reason: Unknown Reason. {"success":false,"title":null,"message":"Playbook input form contains invalid field types: playbook_2fe9ed93_458c_4e7e_9093_ca76fc44a43a.","hints":[],"error_code":"generic"}
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/root/venv/soarqit/bin/resilient-sdk", line 33, in <module>
        sys.exit(load_entry_point('resilient-sdk==46.0.3461', 'console_scripts', 'resilient-sdk')())
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient_sdk/app.py", line 183, in main
        cmd_clone.execute_command(args)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient_sdk/cmds/clone.py", line 213, in execute_command
        add_configuration_import(new_export_data, CmdClone.res_client)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient_sdk/util/sdk_helpers.py", line 469, in add_configuration_import
        confirm_configuration_import(result, result.get("id"), res_client)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient_sdk/util/sdk_helpers.py", line 496, in confirm_configuration_import
        res_client.put(uri, result)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient/co3.py", line 747, in put
        _raise_if_error(ex.get_response())
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient/co3.py", line 218, in _raise_if_error
        raise SimpleHTTPException(response)
    resilient.co3.SimpleHTTPException: :  {"success":false,"title":null,"message":"Playbook input form contains invalid field types: playbook_2fe9ed93_458c_4e7e_9093_ca76fc44a43a.","hints":[],"error_code":"generic"}​


    ------------------------------
    Yohji Amano
    ------------------------------


  • 2.  RE: clone playbook with activation form

    Posted Tue October 25, 2022 08:36 AM
    Activation forms are unfortunately not yet supported by the SDK, however, they will be supported with the v47 release of the SDK (targeted for November). In the meantime, there is a workaround: remove the activation form from the original playbook. Use the SDK to clone that playbook, and then manually reenter the activation form on the original playbook and the cloned playbook.

    ------------------------------
    Christopher Chang
    ------------------------------



  • 3.  RE: clone playbook with activation form

    Posted Tue October 25, 2022 07:22 PM
    Christopher, thank you for your reply and suggestions.
    I'll wait for V47 and refer to the workaround for the time being.

    ------------------------------
    Yohji Amano
    ------------------------------