IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Output key-value pairs value to Note in single Note dialog box

    Posted Mon April 01, 2024 09:19 PM

    Anyone has experience extract the key-value pairs to the Note field?   I am using an output script below.  it is able to output the key-value pairs but it creates a new Note for each key-value pairs.  Is there a way I can have all the key-value pairs output in the same Note instead of multiple Notes?

    Rest API Result:
    json': {'vulnerabilities': [{'count': 1, 'plugin_family': 'Windows', 'plugin_id': 163974, 'plugin_name': 'Security Updates for Microsoft .NET Core (August 2022)', 'vulnerability_state': 'Active', 'vpr_score': 4.4, 'severity': 2, 'accepted_count': 0, 'recasted_count': 0, 'counts_by_severity': [{'count': 1, 'value': 2}], 'cvss_base_score': 5.4, 'cvss3_base_score': 5.9}, {'count': 1, 'plugin_family': 'Windows : Microsoft Bulletins', 'plugin_id': 165076, 'plugin_name': 'Security Updates for Microsoft ASP.NET Core (September 2022)', 'vulnerability_state': 'Active', 'vpr_score': 4.4, 'severity': 3, 'accepted_count': 0, 'recasted_count': 0, 'counts_by_severity': [{'count': 1, 'value': 3}], 'cvss_base_score': 7.8, 'cvss3_base_score': 7.5}, {'count': 1, 'plugin_family': 'Windows', 'plugin_id': 165077, 'plugin_name': 'Security Updates for Microsoft .NET Core (September 2022)', 'vulnerability_state': 'Active', 'vpr_score': 4.4, 'severity': 3, 'accepted_count': 0, 'recasted_count': 0, 'counts_by_severity': [{'count': 1, 'value': 3}], 'cvss_base_score': 7.8, 'cvss3_base_score': 7.5}, {'count': 1, 'plugin_family': 'Windows', 'plugin_id': 166054, 'plugin_name': 'Security Updates for Microsoft .NET Core (October 2022)', 'vulnerability_state': 'Active', 'vpr_score': 7.4, 'severity': 3, 'accepted_count': 0, 'recasted_count': 0, 'counts_by_severity': [{'count': 1, 'value': 3}], 'cvss_base_score': 6.8, 'cvss3_base_score': 7.8}, {'count': 1, 'plugin_family': 'Windows : Microsoft Bulletins', 'plugin_id': 166555, 'plugin_name': 'WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (EnableCertPaddingCheck)', 'vulnerability_state': 'Active', 'vpr_score': 8.9, 'severity': 3, 'accepted_count': 0, 'recasted_count': 0, 'counts_by_severity': [{'count': 1, 'value': 3}], 'cvss_base_score': 7.6, 'cvss3_base_score': 7.8}, {'count': 1, 'plugin_family': 'Windows', 'plugin_id': 168747, 'plugin_name': 'Security Updates for Microsoft .NET Core (December 2022)', 'vulnerability_state': 'Active', 'vpr_score': 6.7, 'severity': 3, 'accepted_count': 0, 'recasted_count': 0, 'counts_by_severity': [{'count': 1, 'value': 3}], 'cvss_base_score': 7.2, 'cvss3_base_score': 7.8}}

    Output Script:

    import json
    results = playbook.functions.results.rest_response
    data = results.content.json
    key_value_list = []
    for vulnerability in data['vulnerabilities']:
        key_value_pairs = [
            f"plugin_name: {vulnerability['plugin_name']}",
            f"severity: {vulnerability['severity']}",
            f"cvss_base_score: {vulnerability['cvss_base_score']}"
        ]
        key_value_list.append(key_value_pairs)
    for key_values in key_value_list:
        incident.addNote(', '.join(key_values))

    Sample Output from the script:

    Note Dialog Box #1
    plugin_name: Windows Speculative Execution Configuration Check, severity: 2, cvss_base_score: 5.4

    Note Dialog Box #2
    plugin_name: Windows Speculative Execution Configuration Check, severity: 2, cvss_base_score: 5.4

    Note Dialog Box #3
    plugin_name: Security Update for Microsoft .NET Core (January 2024), severity: 4, cvss_base_score: 10.0
    Is there a way I can have all all key-value pair output to one Noe dialog box as below?
    Note:

    plugin_name: Windows Speculative Execution Configuration Check, severity: 2, cvss_base_score: 5.4
    plugin_name: Windows Speculative Execution Configuration Check, severity: 2, cvss_base_score: 5.4
    plugin_name: Security Update for Microsoft .NET Core (January 2024), severity: 4, cvss_base_score: 10.0

    Thanks,



    ------------------------------
    Ray Tam
    ------------------------------


  • 2.  RE: Output key-value pairs value to Note in single Note dialog box
    Best Answer

    Posted Tue April 02, 2024 08:27 AM

    Hi there -

    So each time that you call incident.addNote, a Note will be created on the incident. In order to combine your notes into one, you'd have to combine the content into one string and then call incident.addNote just once.

    Something like this will probably do the trick:

    import json
results = playbook.functions.results.rest_response
data = results.content.json
key_value_list = []
for vulnerability in data['vulnerabilities']:
    key_value_pairs = [
        f"plugin_name: {vulnerability['plugin_name']}",
        f"severity: {vulnerability['severity']}",
        f"cvss_base_score: {vulnerability['cvss_base_score']}"
    ]
    key_value_list.append(key_value_pairs)

# create a string to concatenate each line of the note
note_text = ""
for key_values in key_value_list:
    note_text += ', '.join(key_values) + "\n" # add a new line here to separate each item

incident.addNote(note_text)


    ------------------------------
    Bo Bleckel
    ------------------------------

    Original Message


  • 3.  RE: Output key-value pairs value to Note in single Note dialog box

    Posted Tue April 02, 2024 10:56 AM

    Hi Bo,

    Thank you!  I tried your suggested solution, and it works exactly the way expected.



    ------------------------------
    Ray Tam
    ------------------------------

    Original Message


Related Content