IBM QRadar SOAR

Hi,

I integrated my IBM Resilient with MISP. When I send an IP Address artifact from an incident to an event, I have some problems. Some artifacts have Source or Destination and this information in MISP is crucial. However in the pre script I can't manipulate this parameter (there is only IP Address). How do I differentiate it?



------------------------------
Vítor Fagundes Alves Nogueira
------------------------------

If the artifact is an IP address the artifact variable contains additional information:

artifact.ip.source
artifact.ip.destination

Those are set appropriate according to the artifact value.

So you can do:

if (artifact.ip.source == True)

This is definitely not obvious.

One technique I use to find stuff like this out is to write a small test script that prints the value of the variable:

helper.fail(str(artifact))

Which produces something like this:


This shows all the possible data available.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Thu December 03, 2020 03:35 PM
From: Vítor Fagundes Alves Nogueira
Subject: How to differentiate IP Address Source and IP Address Destination in IBM Resilient to send to MISP

Hi,

I integrated my IBM Resilient with MISP. When I send an IP Address artifact from an incident to an event, I have some problems. Some artifacts have Source or Destination and this information in MISP is crucial. However in the pre script I can't manipulate this parameter (there is only IP Address). How do I differentiate it?

------------------------------
Vítor Fagundes Alves Nogueira
------------------------------

See this post here by @BENOIT ROSTAGNI:

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=097b86f6-599e-42e1-9721-4e1701678910&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bm097b86f6-599e-42e1-9721-4e1701678910​

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------

Original Message:
Sent: Thu December 03, 2020 03:35 PM
From: Vítor Fagundes Alves Nogueira
Subject: How to differentiate IP Address Source and IP Address Destination in IBM Resilient to send to MISP

Hi,

I integrated my IBM Resilient with MISP. When I send an IP Address artifact from an incident to an event, I have some problems. Some artifacts have Source or Destination and this information in MISP is crucial. However in the pre script I can't manipulate this parameter (there is only IP Address). How do I differentiate it?

------------------------------
Vítor Fagundes Alves Nogueira
------------------------------